Skip to content
Kyverno

Resource Definitions

Kyverno uses Kubernetes Custom Resource Definitions (CRDs) for policy definitions, policy reports, and other internal types.

The complete Kyverno CRD reference can be viewed here.

The HTML source is available in the Kyverno GitHub repository and generated from type definitions stored here.

kubectl explain

Section titled “kubectl explain”

When operating in a Kubernetes cluster with Kyverno installed, you can always inspect Kyverno types natively using kubectl explain.

For example, this is the definition of a Kyverno Policy resource at policy.spec:

Terminal window
KIND:     Policy
VERSION:  kyverno.io/v1


RESOURCE: spec <Object>


DESCRIPTION:
     Spec defines policy behaviors and contains one or more rules.


FIELDS:
   background   <boolean>
     Background controls if rules are applied to existing resources during a
     background scan. Optional. Default value is "true". The value must be set
     to "false" if the policy rule uses variables that are only available in the
     admission review request (e.g. user name).


   failurePolicy        <string>
     FailurePolicy defines how unrecognized errors from the admission endpoint
     are handled. Rules within the same policy share the same failure behavior.
     Allowed values are Ignore or Fail. Defaults to Fail.


   rules        <[]Object>
     Rules is a list of Rule instances. A Policy contains multiple rules and
     each rule can validate, mutate, or generate resources.


   schemaValidation     <boolean>
     Deprecated.


   validationFailureAction      <string>
     ValidationFailureAction controls if a validation policy rule failure should
     disallow the admission review request (enforce), or allow (audit) the
     admission review request and report an error in a policy report. Optional.
     Allowed values are `Audit` or `Enforce`. The default value is `Audit`.


   validationFailureActionOverrides     <[]Object>
     ValidationFailureActionOverrides is a Cluter Policy attribute that
     specifies ValidationFailureAction namespace-wise. It overrides
     ValidationFailureAction for the specified namespaces.


   webhookTimeoutSeconds        <integer>
     WebhookTimeoutSeconds specifies the maximum time in seconds allowed to
     apply this policy. After the configured time expires, the admission request
     may fail, or may simply ignore the policy results, based on the failure
     policy. The default timeout is 10s, the value must be between 1 and 30
     seconds.

Kyverno’s support for structural schemas also enables integrated help in Kubernetes enabled Integrated Development Environments (IDEs) like VS Code with the Kubernetes Extension installed.