{ "description": "ClusterReport is the Schema for the ClusterReport API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "configuration": { "description": "Configuration is an optional field which can be used to specify\na contract between Report generators and consumers", "properties": { "limits": { "properties": { "maxResults": { "description": "MaxResults is the maximum number of results contained in the report", "type": "integer" }, "statusFilter": { "description": "StatusFilter indicates that the Report contains only those reports with statuses specified in this list", "items": { "description": "StatusFilter is used by Report generators to write only those reports whose status is specified by the filters", "enum": [ "pass", "fail", "warn", "error", "skip" ], "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "required": [ "limits" ], "type": "object", "additionalProperties": false }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "results": { "description": "ReportResult provides result details", "items": { "description": "ReportResult provides the result for an individual policy", "properties": { "category": { "description": "Category indicates policy category", "type": "string" }, "message": { "description": "Description is a short user friendly message for the policy rule", "type": "string" }, "policy": { "description": "Policy is the name or identifier of the policy", "type": "string" }, "properties": { "additionalProperties": { "type": "string" }, "description": "Properties provides additional information for the policy rule", "type": "object" }, "resourceSelector": { "description": "ResourceSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a ResourceSelector can be specified. If neither are provided, the\nresult is assumed to be for the policy report scope.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resources": { "description": "Subjects is an optional reference to the checked Kubernetes resources", "items": { "description": "ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .", "properties": { "apiVersion": { "description": "API version of the referent.", "type": "string" }, "fieldPath": { "description": "If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.", "type": "string" }, "kind": { "description": "Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" }, "resourceVersion": { "description": "Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", "type": "string" }, "uid": { "description": "UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "result": { "description": "Result indicates the outcome of the policy rule execution", "enum": [ "pass", "fail", "warn", "error", "skip" ], "type": "string" }, "rule": { "description": "Rule is the name or identifier of the rule within the policy", "type": "string" }, "scored": { "description": "Scored indicates if this result is scored", "type": "boolean" }, "severity": { "description": "Severity indicates policy check result criticality", "enum": [ "critical", "high", "low", "medium", "info" ], "type": "string" }, "source": { "description": "Source is an identifier for the policy engine that manages this report\nIf the Source is specified at this level, it will override the Source\nfield set at the Report level", "type": "string" }, "timestamp": { "description": "Timestamp indicates the time the result was found", "properties": { "nanos": { "description": "Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.", "format": "int32", "type": "integer" }, "seconds": { "description": "Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.", "format": "int64", "type": "integer" } }, "required": [ "nanos", "seconds" ], "type": "object", "additionalProperties": false }, "additionalProperties": false }, "required": [ "policy" ], "type": "object", "additionalProperties": false }, "type": "array" }, "scope": { "description": "Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)", "properties": { "apiVersion": { "description": "API version of the referent.", "type": "string" }, "fieldPath": { "description": "If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.", "type": "string" }, "kind": { "description": "Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "name": { "description": "Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" }, "resourceVersion": { "description": "Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", "type": "string" }, "uid": { "description": "UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "scopeSelector": { "description": "ScopeSelector is an optional selector for multiple scopes (e.g. Pods).\nEither one of, or none of, but not both of, Scope or ScopeSelector should be specified.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "source": { "description": "Source is an identifier for the source e.g. a policy engine that manages this report.\nUse this field if all the results are produced by a single policy engine.\nIf the results are produced by multiple sources e.g. different engines or scanners,\nthen use the Source field at the ReportResult level.", "type": "string" }, "summary": { "description": "ReportSummary provides a summary of results", "properties": { "error": { "description": "Error provides the count of policies that could not be evaluated", "type": "integer" }, "fail": { "description": "Fail provides the count of policies whose requirements were not met", "type": "integer" }, "pass": { "description": "Pass provides the count of policies whose requirements were met", "type": "integer" }, "skip": { "description": "Skip indicates the count of policies that were not selected for evaluation", "type": "integer" }, "warn": { "description": "Warn provides the count of non-scored policies whose requirements were not met", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object" }