← Back to index Esc
Kind
PolicyException
Group
policies.kyverno.io
Version
v1
apiVersion: policies.kyverno.io/v1 kind: PolicyException metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
Spec declares policy exception behaviors.
allowedValues []string
AllowedValues specifies values that can be used in CEL expressions to bypass policy checks. These values can be referenced in CEL expressions via `exceptions.allowedValues`.
images []string
Images specifies container images to be excluded from policy evaluation. These excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.
matchConditions []object
MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
expression string required
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Required.
name string required
Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') Required.
policyRefs []object required
PolicyRefs identifies the policies to which the exception is applied.
kind string required
Kind is the kind of the policy
name string required
Name is the name of the policy
reportResult string
ReportResult indicates whether the policy exception should be reported in the policy report as a skip result or pass result. Defaults to "skip".
enum: skip, pass
Copied!