diff --git a/content/en/docs/reference/_index.md b/content/en/docs/reference/_index.md
index c4e217af2a..403b84f7c2 100644
--- a/content/en/docs/reference/_index.md
+++ b/content/en/docs/reference/_index.md
@@ -77,6 +77,7 @@ operator to use or manage a cluster.
* [kube-apiserver configuration (v1alpha1)](/docs/reference/config-api/apiserver-config.v1alpha1/)
* [kube-apiserver configuration (v1)](/docs/reference/config-api/apiserver-config.v1/)
* [kube-apiserver encryption (v1)](/docs/reference/config-api/apiserver-encryption.v1/)
+* [kube-apiserver event rate limit (v1alpha1)](/docs/reference/config-api/apiserver-eventratelimit.v1/)
* [kubelet configuration (v1alpha1)](/docs/reference/config-api/kubelet-config.v1alpha1/) and
[kubelet configuration (v1beta1)](/docs/reference/config-api/kubelet-config.v1beta1/)
* [kubelet credential providers (v1alpha1)](/docs/reference/config-api/kubelet-credentialprovider.v1alpha1/)
@@ -88,6 +89,7 @@ operator to use or manage a cluster.
* [Client authentication API (v1beta1)](/docs/reference/config-api/client-authentication.v1beta1/) and
[Client authentication API (v1)](/docs/reference/config-api/client-authentication.v1/)
* [WebhookAdmission configuration (v1)](/docs/reference/config-api/apiserver-webhookadmission.v1/)
+* [ImagePolicy API (v1alpha1)](/docs/reference/config-api/imagepolicy.v1alpha1/)
## Config API for kubeadm
diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md
index e37059784c..e2a3d63e62 100644
--- a/content/en/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@@ -356,19 +356,21 @@ users:
For additional HTTP configuration, refer to the
[kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) documentation.
-#### Request Payloads
+#### Request payloads
When faced with an admission decision, the API Server POSTs a JSON serialized
`imagepolicy.k8s.io/v1alpha1` `ImageReview` object describing the action.
This object contains fields describing the containers being admitted, as well as
any pod annotations that match `*.image-policy.k8s.io/*`.
-Note that webhook API objects are subject to the same versioning compatibility rules
+{{ note }}
+The webhook API objects are subject to the same versioning compatibility rules
as other Kubernetes API objects. Implementers should be aware of looser compatibility
-promises for alpha objects and check the "apiVersion" field of the request to
+promises for alpha objects and check the `apiVersion` field of the request to
ensure correct deserialization.
Additionally, the API Server must enable the `imagepolicy.k8s.io/v1alpha1` API extensions
group (`--runtime-config=imagepolicy.k8s.io/v1alpha1=true`).
+{{ /note }}
An example request body:
@@ -420,8 +422,8 @@ To disallow access, the service would return:
}
```
-For further documentation refer to the `imagepolicy.v1alpha1` API objects and
-`plugin/pkg/admission/imagepolicy/admission.go`.
+For further documentation refer to the
+[`imagepolicy.v1alpha1` API](/docs/reference/config-api/imagepolicy.v1alpha1/).
#### Extending with Annotations
@@ -432,9 +434,9 @@ accept different information.
Examples of information you might put here are:
- * request to "break glass" to override a policy, in case of emergency.
- * a ticket number from a ticket system that documents the break-glass request
- * provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
+* request to "break glass" to override a policy, in case of emergency.
+* a ticket number from a ticket system that documents the break-glass request
+* provide a hint to the policy server as to the imageID of the image being provided, to save it a lookup
In any case, the annotations are provided by the user and are not validated by Kubernetes in any way.
@@ -469,8 +471,7 @@ webhooks or validating admission controllers will permit the request to finish.
If you disable the MutatingAdmissionWebhook, you must also disable the
`MutatingWebhookConfiguration` object in the `admissionregistration.k8s.io/v1`
-group/version via the `--runtime-config` flag (both are on by default in
-versions >= 1.9).
+group/version via the `--runtime-config` flag, both are on by default.
#### Use caution when authoring and installing mutating webhooks
@@ -599,7 +600,7 @@ Starting from 1.11, this admission controller is disabled by default.
This admission controller defaults and limits what node selectors may be used within a namespace
by reading a namespace annotation and a global configuration.
-#### Configuration File Format
+#### Configuration file format
`PodNodeSelector` uses a configuration file to set options for the behavior of the backend.
Note that the configuration file format will move to a versioned file in a future release.
@@ -649,9 +650,7 @@ This admission controller has the following behavior:
3. Evaluate the pod's node selector against the namespace node selector for conflicts. Conflicts
result in rejection.
4. Evaluate the pod's node selector against the namespace-specific allowed selector defined the
- plugin configuration file.
-
-Conflicts result in rejection.
+ plugin configuration file. Conflicts result in rejection.
{{< note >}}
PodNodeSelector allows forcing pods to run on specifically labeled nodes. Also see the PodTolerationRestriction
diff --git a/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
new file mode 100644
index 0000000000..f420623559
--- /dev/null
+++ b/content/en/docs/reference/config-api/imagepolicy.v1alpha1.md
@@ -0,0 +1,168 @@
+---
+title: Image Policy API (v1alpha1)
+content_type: tool-reference
+package: imagepolicy.k8s.io/v1alpha1
+auto_generated: true
+---
+
+
+## Resource Types
+
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+
+## `ImageReview` {#imagepolicy-k8s-io-v1alpha1-ImageReview}
+
+
+
+ImageReview checks if the set of images in a pod are allowed.
+
+
+
+| Field | Description |
|---|
+
+
+apiVersion
string | imagepolicy.k8s.io/v1alpha1 |
+kind
string | ImageReview |
+
+
+metadata
+meta/v1.ObjectMeta
+ |
+
+ Standard object's metadata.
+More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+Refer to the Kubernetes API documentation for the fields of the metadata field. |
+
+spec [Required]
+ImageReviewSpec
+ |
+
+ Spec holds information about the pod being evaluated
+ |
+
+status
+ImageReviewStatus
+ |
+
+ Status is filled in by the backend and indicates whether the pod should be allowed.
+ |
+
+
+
+
+## `ImageReviewContainerSpec` {#imagepolicy-k8s-io-v1alpha1-ImageReviewContainerSpec}
+
+
+**Appears in:**
+
+- [ImageReviewSpec](#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec)
+
+
+ImageReviewContainerSpec is a description of a container within the pod creation request.
+
+
+
+| Field | Description |
|---|
+
+
+
+image
+string
+ |
+
+ This can be in the form image:tag or image@SHA:012345679abcdef.
+ |
+
+
+
+
+## `ImageReviewSpec` {#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec}
+
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+ImageReviewSpec is a description of the pod creation request.
+
+
+
+| Field | Description |
|---|
+
+
+
+containers
+[]ImageReviewContainerSpec
+ |
+
+ Containers is a list of a subset of the information in each container of the Pod being created.
+ |
+
+annotations
+map[string]string
+ |
+
+ Annotations is a list of key-value pairs extracted from the Pod's annotations.
+It only includes keys which match the pattern *.image-policy.k8s.io/*.
+It is up to each webhook backend to determine how to interpret these annotations, if at all.
+ |
+
+namespace
+string
+ |
+
+ Namespace is the namespace the pod is being created in.
+ |
+
+
+
+
+## `ImageReviewStatus` {#imagepolicy-k8s-io-v1alpha1-ImageReviewStatus}
+
+
+**Appears in:**
+
+- [ImageReview](#imagepolicy-k8s-io-v1alpha1-ImageReview)
+
+
+ImageReviewStatus is the result of the review for the pod creation request.
+
+
+
+| Field | Description |
|---|
+
+
+
+allowed [Required]
+bool
+ |
+
+ Allowed indicates that all images were allowed to be run.
+ |
+
+reason
+string
+ |
+
+ Reason should be empty unless Allowed is false in which case it
+may contain a short description of what is wrong. Kubernetes
+may truncate excessively long errors when displaying to the user.
+ |
+
+auditAnnotations
+map[string]string
+ |
+
+ AuditAnnotations will be added to the attributes object of the
+admission controller request using 'AddAnnotation'. The keys should
+be prefix-less (i.e., the admission controller will add an
+appropriate prefix).
+ |
+
+
+
+
\ No newline at end of file