For example: 'pods' matches pods. 'pods/log' matches the log subresource of pods. -'' matches all resources and their subresources. -'pods/' matches all subresources of pods. -'*/scale' matches all scale subresources.
+'*' matches all resources and their subresources. +'pods/*' matches all subresources of pods. +'*/scale' matches all scale subresources.If wildcard is present, the validation rule will ensure resources do not overlap with each other.
An empty list implies all resources and subresources in this API groups apply.
@@ -501,10 +501,10 @@ An empty list implies every namespace.NonResourceURLs is a set of URL paths that should be audited. -s are allowed, but only as the full, final step in the path. +*s are allowed, but only as the full, final step in the path. Examples: "/metrics" - Log requests for apiserver metrics -"/healthz" - Log all health checks
+"/healthz*" - Log all health checksomitStagesEncryptionConfiguration stores the complete configuration for encryption providers. It also allows the use of wildcards to specify the resources that should be encrypted. -Use '.' to encrypt all resources within a group or '.' to encrypt all resources. -'.' can be used to encrypt all resource in the core group. '.' will encrypt all +Use '*.<group>' to encrypt all resources within a group or '*.*' to encrypt all resources. +'*.' can be used to encrypt all resource in the core group. '*.*' will encrypt all resources, even custom resources that are added after API server start. Use of wildcards that overlap within the same resource list or across multiple entries are not allowed since part of the configuration would be ineffective. @@ -283,9 +283,9 @@ Set to a negative value to disable caching. This field is only allowed for KMS v
resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from resource or resource.group of the group/version/resource.
eg: pandas.awesome.bears.example is a custom resource with 'group': awesome.bears.example, 'resource': pandas.
-Use '.' to encrypt all resources and '.' to encrypt all resources in a specific group.
-eg: '.awesome.bears.example' will encrypt all resources in the group 'awesome.bears.example'.
-eg: '*.' will encrypt all resources in the core group (such as pods, configmaps, etc).
providers [Required]Each entry in matchImages is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. +Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.A match exists between an image and a matchImage when all of the below are true:
Example values of matchImages:
Each entry in matchImages is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. +Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.A match exists between an image and a matchImage when all of the below are true:
Example values of matchImages:
Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. +Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.The kubelet will match images against the key when all of the below are true:
Example keys:
Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. +Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.The kubelet will match images against the key when all of the below are true:
Example keys:
Each key in the map is a pattern which can optionally contain a port and a path. Globs can be used in the domain, but not in the port or the path. Globs are supported -as subdomains like '.k8s.io' or 'k8s..io', and top-level-domains such as 'k8s.'. -Matching partial subdomains like 'app.k8s.io' is also supported. Each glob can only match -a single subdomain segment, so *.io does not match *.k8s.io.
+as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. +Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match +a single subdomain segment, so *.io does not match *.k8s.io.The kubelet will match images against the key when all of the below are true:
Example keys: