k8s_openapi/v1_32/api/admissionregistration/v1/
match_resources.rs

1// Generated from definition io.k8s.api.admissionregistration.v1.MatchResources
2
3/// MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
4#[derive(Clone, Debug, Default, PartialEq)]
5pub struct MatchResources {
6    /// ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
7    pub exclude_resource_rules: Option<Vec<crate::api::admissionregistration::v1::NamedRuleWithOperations>>,
8
9    /// matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
10    ///
11    /// - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:\["apps"\], apiVersions:\["v1"\], resources: \["deployments"\]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
12    ///
13    /// - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:\["apps"\], apiVersions:\["v1"\], resources: \["deployments"\]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
14    ///
15    /// Defaults to "Equivalent"
16    pub match_policy: Option<String>,
17
18    /// NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.
19    ///
20    /// For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
21    ///   "matchExpressions": \[
22    ///     {
23    ///       "key": "runlevel",
24    ///       "operator": "NotIn",
25    ///       "values": \[
26    ///         "0",
27    ///         "1"
28    ///       \]
29    ///     }
30    ///   \]
31    /// }
32    ///
33    /// If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
34    ///   "matchExpressions": \[
35    ///     {
36    ///       "key": "environment",
37    ///       "operator": "In",
38    ///       "values": \[
39    ///         "prod",
40    ///         "staging"
41    ///       \]
42    ///     }
43    ///   \]
44    /// }
45    ///
46    /// See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.
47    ///
48    /// Default to the empty LabelSelector, which matches everything.
49    pub namespace_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>,
50
51    /// ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
52    pub object_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>,
53
54    /// ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.
55    pub resource_rules: Option<Vec<crate::api::admissionregistration::v1::NamedRuleWithOperations>>,
56}
57
58impl crate::DeepMerge for MatchResources {
59    fn merge_from(&mut self, other: Self) {
60        crate::merge_strategies::list::atomic(&mut self.exclude_resource_rules, other.exclude_resource_rules);
61        crate::DeepMerge::merge_from(&mut self.match_policy, other.match_policy);
62        crate::DeepMerge::merge_from(&mut self.namespace_selector, other.namespace_selector);
63        crate::DeepMerge::merge_from(&mut self.object_selector, other.object_selector);
64        crate::merge_strategies::list::atomic(&mut self.resource_rules, other.resource_rules);
65    }
66}
67
68impl<'de> crate::serde::Deserialize<'de> for MatchResources {
69    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error> where D: crate::serde::Deserializer<'de> {
70        #[allow(non_camel_case_types)]
71        enum Field {
72            Key_exclude_resource_rules,
73            Key_match_policy,
74            Key_namespace_selector,
75            Key_object_selector,
76            Key_resource_rules,
77            Other,
78        }
79
80        impl<'de> crate::serde::Deserialize<'de> for Field {
81            fn deserialize<D>(deserializer: D) -> Result<Self, D::Error> where D: crate::serde::Deserializer<'de> {
82                struct Visitor;
83
84                impl crate::serde::de::Visitor<'_> for Visitor {
85                    type Value = Field;
86
87                    fn expecting(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
88                        f.write_str("field identifier")
89                    }
90
91                    fn visit_str<E>(self, v: &str) -> Result<Self::Value, E> where E: crate::serde::de::Error {
92                        Ok(match v {
93                            "excludeResourceRules" => Field::Key_exclude_resource_rules,
94                            "matchPolicy" => Field::Key_match_policy,
95                            "namespaceSelector" => Field::Key_namespace_selector,
96                            "objectSelector" => Field::Key_object_selector,
97                            "resourceRules" => Field::Key_resource_rules,
98                            _ => Field::Other,
99                        })
100                    }
101                }
102
103                deserializer.deserialize_identifier(Visitor)
104            }
105        }
106
107        struct Visitor;
108
109        impl<'de> crate::serde::de::Visitor<'de> for Visitor {
110            type Value = MatchResources;
111
112            fn expecting(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
113                f.write_str("MatchResources")
114            }
115
116            fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error> where A: crate::serde::de::MapAccess<'de> {
117                let mut value_exclude_resource_rules: Option<Vec<crate::api::admissionregistration::v1::NamedRuleWithOperations>> = None;
118                let mut value_match_policy: Option<String> = None;
119                let mut value_namespace_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector> = None;
120                let mut value_object_selector: Option<crate::apimachinery::pkg::apis::meta::v1::LabelSelector> = None;
121                let mut value_resource_rules: Option<Vec<crate::api::admissionregistration::v1::NamedRuleWithOperations>> = None;
122
123                while let Some(key) = crate::serde::de::MapAccess::next_key::<Field>(&mut map)? {
124                    match key {
125                        Field::Key_exclude_resource_rules => value_exclude_resource_rules = crate::serde::de::MapAccess::next_value(&mut map)?,
126                        Field::Key_match_policy => value_match_policy = crate::serde::de::MapAccess::next_value(&mut map)?,
127                        Field::Key_namespace_selector => value_namespace_selector = crate::serde::de::MapAccess::next_value(&mut map)?,
128                        Field::Key_object_selector => value_object_selector = crate::serde::de::MapAccess::next_value(&mut map)?,
129                        Field::Key_resource_rules => value_resource_rules = crate::serde::de::MapAccess::next_value(&mut map)?,
130                        Field::Other => { let _: crate::serde::de::IgnoredAny = crate::serde::de::MapAccess::next_value(&mut map)?; },
131                    }
132                }
133
134                Ok(MatchResources {
135                    exclude_resource_rules: value_exclude_resource_rules,
136                    match_policy: value_match_policy,
137                    namespace_selector: value_namespace_selector,
138                    object_selector: value_object_selector,
139                    resource_rules: value_resource_rules,
140                })
141            }
142        }
143
144        deserializer.deserialize_struct(
145            "MatchResources",
146            &[
147                "excludeResourceRules",
148                "matchPolicy",
149                "namespaceSelector",
150                "objectSelector",
151                "resourceRules",
152            ],
153            Visitor,
154        )
155    }
156}
157
158impl crate::serde::Serialize for MatchResources {
159    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error> where S: crate::serde::Serializer {
160        let mut state = serializer.serialize_struct(
161            "MatchResources",
162            self.exclude_resource_rules.as_ref().map_or(0, |_| 1) +
163            self.match_policy.as_ref().map_or(0, |_| 1) +
164            self.namespace_selector.as_ref().map_or(0, |_| 1) +
165            self.object_selector.as_ref().map_or(0, |_| 1) +
166            self.resource_rules.as_ref().map_or(0, |_| 1),
167        )?;
168        if let Some(value) = &self.exclude_resource_rules {
169            crate::serde::ser::SerializeStruct::serialize_field(&mut state, "excludeResourceRules", value)?;
170        }
171        if let Some(value) = &self.match_policy {
172            crate::serde::ser::SerializeStruct::serialize_field(&mut state, "matchPolicy", value)?;
173        }
174        if let Some(value) = &self.namespace_selector {
175            crate::serde::ser::SerializeStruct::serialize_field(&mut state, "namespaceSelector", value)?;
176        }
177        if let Some(value) = &self.object_selector {
178            crate::serde::ser::SerializeStruct::serialize_field(&mut state, "objectSelector", value)?;
179        }
180        if let Some(value) = &self.resource_rules {
181            crate::serde::ser::SerializeStruct::serialize_field(&mut state, "resourceRules", value)?;
182        }
183        crate::serde::ser::SerializeStruct::end(state)
184    }
185}
186
187#[cfg(feature = "schemars")]
188impl crate::schemars::JsonSchema for MatchResources {
189    fn schema_name() -> String {
190        "io.k8s.api.admissionregistration.v1.MatchResources".to_owned()
191    }
192
193    fn json_schema(__gen: &mut crate::schemars::gen::SchemaGenerator) -> crate::schemars::schema::Schema {
194        crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
195            metadata: Some(Box::new(crate::schemars::schema::Metadata {
196                description: Some("MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)".to_owned()),
197                ..Default::default()
198            })),
199            instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Object))),
200            object: Some(Box::new(crate::schemars::schema::ObjectValidation {
201                properties: [
202                    (
203                        "excludeResourceRules".to_owned(),
204                        crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
205                            metadata: Some(Box::new(crate::schemars::schema::Metadata {
206                                description: Some("ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)".to_owned()),
207                                ..Default::default()
208                            })),
209                            instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Array))),
210                            array: Some(Box::new(crate::schemars::schema::ArrayValidation {
211                                items: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(__gen.subschema_for::<crate::api::admissionregistration::v1::NamedRuleWithOperations>()))),
212                                ..Default::default()
213                            })),
214                            ..Default::default()
215                        }),
216                    ),
217                    (
218                        "matchPolicy".to_owned(),
219                        crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
220                            metadata: Some(Box::new(crate::schemars::schema::Metadata {
221                                description: Some("matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"".to_owned()),
222                                ..Default::default()
223                            })),
224                            instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::String))),
225                            ..Default::default()
226                        }),
227                    ),
228                    (
229                        "namespaceSelector".to_owned(),
230                        {
231                            let mut schema_obj = __gen.subschema_for::<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>().into_object();
232                            schema_obj.metadata = Some(Box::new(crate::schemars::schema::Metadata {
233                                description: Some("NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\";  you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"runlevel\",\n      \"operator\": \"NotIn\",\n      \"values\": [\n        \"0\",\n        \"1\"\n      ]\n    }\n  ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n  \"matchExpressions\": [\n    {\n      \"key\": \"environment\",\n      \"operator\": \"In\",\n      \"values\": [\n        \"prod\",\n        \"staging\"\n      ]\n    }\n  ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.".to_owned()),
234                                ..Default::default()
235                            }));
236                            crate::schemars::schema::Schema::Object(schema_obj)
237                        },
238                    ),
239                    (
240                        "objectSelector".to_owned(),
241                        {
242                            let mut schema_obj = __gen.subschema_for::<crate::apimachinery::pkg::apis::meta::v1::LabelSelector>().into_object();
243                            schema_obj.metadata = Some(Box::new(crate::schemars::schema::Metadata {
244                                description: Some("ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.".to_owned()),
245                                ..Default::default()
246                            }));
247                            crate::schemars::schema::Schema::Object(schema_obj)
248                        },
249                    ),
250                    (
251                        "resourceRules".to_owned(),
252                        crate::schemars::schema::Schema::Object(crate::schemars::schema::SchemaObject {
253                            metadata: Some(Box::new(crate::schemars::schema::Metadata {
254                                description: Some("ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.".to_owned()),
255                                ..Default::default()
256                            })),
257                            instance_type: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(crate::schemars::schema::InstanceType::Array))),
258                            array: Some(Box::new(crate::schemars::schema::ArrayValidation {
259                                items: Some(crate::schemars::schema::SingleOrVec::Single(Box::new(__gen.subschema_for::<crate::api::admissionregistration::v1::NamedRuleWithOperations>()))),
260                                ..Default::default()
261                            })),
262                            ..Default::default()
263                        }),
264                    ),
265                ].into(),
266                ..Default::default()
267            })),
268            ..Default::default()
269        })
270    }
271}