← Back to index Esc
Kind
CleanupPolicy
Group
kyverno.io
Version
v2beta1
apiVersion: kyverno.io/v2beta1 kind: CleanupPolicy metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
Spec declares policy behaviors.
conditions object
Conditions defines the conditions used to select the resources which will be cleaned up.
all []object
AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass.
key object
Key is the context entry (using JMESPath) for conditional rule evaluation.
message string
Message is an optional display message
operator string
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
enum: Equals, NotEquals, AnyIn, AllIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
value object
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
any []object
AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass.
key object
Key is the context entry (using JMESPath) for conditional rule evaluation.
message string
Message is an optional display message
operator string
Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
enum: Equals, NotEquals, AnyIn, AllIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan
value object
Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath.
context []object
Context defines variables and data sources that can be used during rule execution.
apiCall object
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
data []object
The data object specifies the POST data sent to the server. Only applicable when the method field is set to POST.
key string required
Key is a unique identifier for the data value
value object required
Value is the data value
default object
Default is an optional arbitrary JSON object that the context value is set to, if the apiCall returns error.
jmesPath string
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of "items | length(@)" applied to the API server response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces.
method string
Method is the HTTP request type (GET or POST). Defaults to GET.
enum: GET, POST
service object
Service is an API call to a JSON web service. This is used for non-Kubernetes API server calls. It's mutually exclusive with the URLPath field.
caBundle string
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
headers []object
Headers is a list of optional HTTP headers to be included in the request.
key string required
Key is the header key
value string required
Value is the header value
url string required
URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`.
urlPath string
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. It's mutually exclusive with the Service field.
configMap object
ConfigMap is the ConfigMap reference.
name string required
Name is the ConfigMap name.
namespace string
Namespace is the ConfigMap namespace.
globalReference object
GlobalContextEntryReference is a reference to a cached global context entry.
jmesPath string
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of "items | length(@)" applied to the API server response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces.
name string required
Name of the global context entry
imageRegistry object
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
imageRegistryCredentials object
ImageRegistryCredentials provides credentials that will be used for authentication with registry
allowInsecureRegistry boolean
AllowInsecureRegistry allows insecure access to a registry.
providers []string
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
secrets []string
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
jmesPath string
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
reference string required
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
name string required
Name is the variable name.
variable object
Variable defines an arbitrary JMESPath context variable that can be defined inline.
default object
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
jmesPath string
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
value object
Value is any arbitrary JSON object representable in YAML or JSON form.
deletionPropagationPolicy string
DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).
enum: Foreground, Background, Orphan
exclude object
ExcludeResources defines when cleanuppolicy should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.
all []object
All allows specifying resources which will be ANDed
clusterRoles []string
ClusterRoles is the list of cluster-wide role names for the user.
resources object
ResourceDescription contains information about the resource being created or modified.
annotations object
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
kinds []string
Kinds is a list of resource kinds.
name string
Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".
names []string
Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
namespaceSelector object
NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
operations []string
Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
selector object
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
roles []string
Roles is the list of namespaced role names for the user.
subjects []object
Subjects is the list of subject names like users, user groups, and service accounts.
apiGroup string
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
kind string required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
name string required
Name of the object being referenced.
namespace string
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
any []object
Any allows specifying resources which will be ORed
clusterRoles []string
ClusterRoles is the list of cluster-wide role names for the user.
resources object
ResourceDescription contains information about the resource being created or modified.
annotations object
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
kinds []string
Kinds is a list of resource kinds.
name string
Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".
names []string
Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
namespaceSelector object
NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
operations []string
Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
selector object
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
roles []string
Roles is the list of namespaced role names for the user.
subjects []object
Subjects is the list of subject names like users, user groups, and service accounts.
apiGroup string
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
kind string required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
name string required
Name of the object being referenced.
namespace string
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
match object required
MatchResources defines when cleanuppolicy should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.
all []object
All allows specifying resources which will be ANDed
clusterRoles []string
ClusterRoles is the list of cluster-wide role names for the user.
resources object
ResourceDescription contains information about the resource being created or modified.
annotations object
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
kinds []string
Kinds is a list of resource kinds.
name string
Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".
names []string
Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
namespaceSelector object
NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
operations []string
Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
selector object
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
roles []string
Roles is the list of namespaced role names for the user.
subjects []object
Subjects is the list of subject names like users, user groups, and service accounts.
apiGroup string
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
kind string required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
name string required
Name of the object being referenced.
namespace string
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
any []object
Any allows specifying resources which will be ORed
clusterRoles []string
ClusterRoles is the list of cluster-wide role names for the user.
resources object
ResourceDescription contains information about the resource being created or modified.
annotations object
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
kinds []string
Kinds is a list of resource kinds.
name string
Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".
names []string
Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
namespaceSelector object
NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
namespaces []string
Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
operations []string
Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
selector object
Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
roles []string
Roles is the list of namespaced role names for the user.
subjects []object
Subjects is the list of subject names like users, user groups, and service accounts.
apiGroup string
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
kind string required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
name string required
Name of the object being referenced.
namespace string
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
schedule string required
The schedule in Cron format
status object
Status contains policy runtime data.
conditions []object
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
lastExecutionTime string
format: date-time
Copied!