Api Reference

ResourceSelectors restricts resource types that this validate policy applies to. nil means matching all resources.

ValidateRules defines a collection of validate rules on target operations.

"Equal"

CondEqual - Equal

"Exist"

CondExist - Exist

"Gt"

CondGreater - Gt

"Gte"

CondGreaterOrEqual - Gte

"In"

CondIn - In

"Lt"

CondLesser - Lt

"Lte"

CondLesserOrEqual - Lte

"NotEqual"

CondNotEqual - NotEqual

"NotExist"

CondNotExist - NotExist

"NotIn"

CondNotIn - NotIn

"Regex"

CondRegex match regex. e.g. /^\d{1,}$/

String as a string

Integer as an integer(int64)

Float as float but use string to store, so please provide in comma (e.g. float: “1.2”)

Boolean only true or false can be recognized.

StringSlice as a slice of string(e.g. [“a”,“b”])

IntegerSlice as a slice of integer(int64) (e.g. [1,2,3])

FloatSlice as a slice of float but using string (e.g. [“1.2”, “2.3”])

StringMap as key-value set and both are string.

matchFields is a map of {key,value} pairs. A single {key,value} in the matchFields map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”.

matchExpressions is a list of fields selector requirements. The requirements are ANDed.

Field is the field key that the selector applies to. Must provide whole path of key, such as metadata.annotations.uid

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.

URL as whole http url

Method as basic http method(e.g. GET or POST)

Header represents the custom header added to http request header.

Params represents the query value for http request.

Body represents the json body when http method is POST.

Auth defines basic info for get authorization token before do request. Note: it will request authURL with post and Header.Set("Authorization", "Basic "+basicAuth(username, password)) and get token from response body. Response Body must be a valid json and contains token like this: `{“token”: “xxx”} . After get the token, the request will add a new key value to header, key is “Authorization” and value is “Bearer xxx”.

StaticToken represents for static token for call api instead of get token from remote api. StaticToken and other fields are mutually exclusive, staticToken is priority to take effect.

Username represents username for auth.

Password represents Password for auth.

AuthURL represents remote url to request and get token.

ExpireDuration is providing for some auth api won’t return exact expire time, so can you this field set an expiry duration for token

Token stores the latest token get from AuthURL, and it’ll be updated when token expired. This filed is not fill by user, so don’t edit it.

ExpireAt sores the token expire time. Same as above field, this field also updated automatically. This filed is not fill by user, so don’t edit it.

ResourceSelectors restricts resource types that this override policy applies to. nil means matching all resources.

OverrideRules defines a collection of override rules on target operations.

Type represents current rule operate field type.

Operation represents current operation type.

Path is field path of current object(e.g. /spec/affinity) If current type is annotations or labels, then only need to provide the key, no need whole path.

Value sets exact value for rule, like enum or numbers Must set value when type is regex.

ValueRef represents for value reference from current or remote object. Need specify the type of object and how to get it.

Resources valid only when the type is resources

ResourcesOversell valid only when the type is resourcesOversell

Tolerations valid only when the type is tolerations

Affinity valid only when the type is affinity

"affinity"

OverrideRuleTypeAffinity - affinity

"annotations"

OverrideRuleTypeAnnotations - annotations

"labels"

OverrideRuleTypeLabels - labels

"resources"

OverrideRuleTypeResources - resources

"resourcesOversell"

OverrideRuleTypeResourcesOversell - resourcesOversell

"tolerations"

OverrideRuleTypeTolerations - tolerations

"add"

OverriderOpAdd - “add” value to object

"remove"

OverriderOpRemove - remove field form object

"replace"

OverriderOpReplace - remove and add value(if specified path doesn’t exist, it will add directly)

Plaintext represents override rules defined with plaintext overriders.

Cue represents override rules defined with cue code.

Template of rule which defines override rule, and it will be rendered to CUE and store in RenderedCue field, so if there are any data added manually will be erased.

RenderedCue represents override rule defined by Template. Don’t modify the value of this field, modify Rules instead of.

Path indicates the path of target field

Operator indicates the operation on target field. Available operators are: add, update and remove.

Value to be applied to target field. Must be empty when operator is Remove.

From represents where this referenced object are.

Path has different meaning, it represents current object field path like “/spec/replica” when From equals “current” and it also can be format like “data.result.x.y” when From equals “http”, it represents the path in http response Only when From is owner(means refer current object owner), the path can be empty.

K8s means refer another object from current cluster.

Http means refer data from remote api.

APIVersion represents the API version of the target resources.

Kind represents the Kind of the target resources.

Namespace of the target resource. Default is empty, which means inherit from the parent object scope.

Name of the target resource. Default is empty, which means selecting all resources.

A label query over a set of resources. If name is not empty, labelSelector will be ignored.

A field query over a set of resources. If name is not empty, fieldSelector wil be ignored.

CpuFactor factor of cup oversell, it is float number less than 1, the range of value is (0,1.0)

MemoryFactor factor of cup oversell, it is float number less than 1, the range of value is (0,1.0)

DiskFactor factor of cup oversell, it is float number less than 1, the range of value is (0,1.0)

TargetOperations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If ‘*’ is present, the length of the slice must be one. Required.

Overriders represents the override rules that would apply on resources

AffectMode represents the mode of policy hit affect, in default case(reject), webhook rejects the operation when policy hit, otherwise it will allow the operation. If mode is allow, only allow the operation when policy hit, otherwise reject them all.

Cond represents type of condition (e.g. Equal, Exist)

DataRef represents for data reference from current or remote object. Need specify the type of object and how to get it.

Message specify reject message when policy hit.

Value sets exact value for rule, like enum or numbers

ValueRef represents for value reference from current or remote object. Need specify the type of object and how to get it.

ValueProcess represents handle process for value or valueRef. Currently only support for number value, so make sure value or value from remote is a number.

Type represents current rule operate field type.

Condition represents general condition rule for more custom demand.

Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If ‘*’ is present, the length of the slice must be one. Required.

Cue represents validate rules defined with cue code.

Template of condition which defines validate cond, and it will be rendered to CUE and store in RenderedCue field, so if there are any data added manually will be erased.

RenderedCue represents validate rule defined by Template. Don’t modify the value of this field, modify Rules instead of.

Operation defines the type of operate value, and it should work with operationWith. For example, operation is * and operationWith is 0.5 then in cue the value will be multiplied by 0.5.

OperationWith defines value for operate to handle static value or value from remote.

"current"

FromCurrentObject means read data from current k8s object(the newest one when update operate intercept)

"http"

FromHTTP - read data from http response

"k8s"

FromK8s - read data from other object in current kubernetes

"old"

FromOldObject means read data from old object, only used when object be updated

"const"

ValueTypeConst means value is specified exactly.

"ref"

ValueTypeRefer means value is refer from other object