All constraints have a match field, which defines the objects a constraint applies to. All conditions specified must be matched before an object is in-scope for a constraint.
# excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names. # If defined, a constraint only applies to resources not in a listed namespace. # ExcludedNamespaces also supports a prefix or suffix based glob. For example, # `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, # and `excludedNamespaces: [*-system]` matches both `kube-system` and # `gatekeeper-system`. excludedNamespaces: # <list item: string>: A string that supports globbing at its front or end. # Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will # match "kube-system" or "gatekeeper-system". The asterisk is required for # wildcard matching. - <string> kinds: # <list item: object>: Kinds accepts a list of objects with apiGroups and # kinds fields that list the groups/kinds of objects to which the mutation # will apply. If multiple groups/kinds objects are specified, only one match # is needed for the resource to be in scope. - # apiGroups <array>: APIGroups is the API groups the resources belong to. # '*' is all groups. If '*' is present, the length of the slice must be # one. Required. apiGroups: - <string> kinds: - <string> # labelSelector <object>: LabelSelector is the combination of two optional # fields: `matchLabels` and `matchExpressions`. These two fields provide # different methods of selecting or excluding k8s objects based on the label # keys and values included in object metadata. All selection expressions from # both sections are ANDed to determine if an object meets the cumulative # requirements of the selector. labelSelector: # matchExpressions <array>: matchExpressions is a list of label selector # requirements. The requirements are ANDed. matchExpressions: # <list item: object>: A label selector requirement is a selector that # contains values, a key, and an operator that relates the key and values. - # key <string>: key is the label key that the selector applies to. key: <string> # operator <string>: operator represents a key's relationship to a set # of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator: <string> # values <array>: values is an array of string values. If the operator # is In or NotIn, the values array must be non-empty. If the operator # is Exists or DoesNotExist, the values array must be empty. This array # is replaced during a strategic merge patch. values: - <string> # matchLabels <object>: matchLabels is a map of {key,value} pairs. A single # {key,value} in the matchLabels map is equivalent to an element of # matchExpressions, whose key field is "key", the operator is "In", and the # values array contains only "value". The requirements are ANDed. matchLabels: [key]: <string> # name <string>: Name is the name of an object. If defined, it will match # against objects with the specified name. Name also supports a prefix or # suffix glob. For example, `name: pod-*` would match both `pod-a` and # `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. name: <string> # namespaceSelector <object>: NamespaceSelector is a label selector against an # object's containing namespace or the object itself, if the object is a # namespace. namespaceSelector: # matchExpressions <array>: matchExpressions is a list of label selector # requirements. The requirements are ANDed. matchExpressions: # <list item: object>: A label selector requirement is a selector that # contains values, a key, and an operator that relates the key and values. - # key <string>: key is the label key that the selector applies to. key: <string> # operator <string>: operator represents a key's relationship to a set # of values. Valid operators are In, NotIn, Exists and DoesNotExist. operator: <string> # values <array>: values is an array of string values. If the operator # is In or NotIn, the values array must be non-empty. If the operator # is Exists or DoesNotExist, the values array must be empty. This array # is replaced during a strategic merge patch. values: - <string> # matchLabels <object>: matchLabels is a map of {key,value} pairs. A single # {key,value} in the matchLabels map is equivalent to an element of # matchExpressions, whose key field is "key", the operator is "In", and the # values array contains only "value". The requirements are ANDed. matchLabels: [key]: <string> # namespaces <array>: Namespaces is a list of namespace names. If defined, a # constraint only applies to resources in a listed namespace. Namespaces also # supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` # matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` # matches both `kube-system` and `gatekeeper-system`. namespaces: # <list item: string>: A string that supports globbing at its front or end. # Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will # match "kube-system" or "gatekeeper-system". The asterisk is required for # wildcard matching. - <string> # scope <string>: Scope determines if cluster-scoped and/or namespaced-scoped # resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to # `*`) scope: <string> # source <string>: Source determines whether generated or original resources # are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A # value of `Generated` will only match generated resources, while `Original` # will only match regular resources. # Allowed Values: All, Generated, Original source: <string>