All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.pulumi.kubernetes.admissionregistration.v1.kotlin.inputs.ValidatingWebhookArgs.kt Maven / Gradle / Ivy

Go to download

Build cloud applications and infrastructure by combining the safety and reliability of infrastructure as code with the power of the Kotlin programming language.

There is a newer version: 4.18.2.0
Show newest version
@file:Suppress("NAME_SHADOWING", "DEPRECATION")

package com.pulumi.kubernetes.admissionregistration.v1.kotlin.inputs

import com.pulumi.core.Output
import com.pulumi.core.Output.of
import com.pulumi.kotlin.ConvertibleToJava
import com.pulumi.kotlin.PulumiNullFieldException
import com.pulumi.kotlin.PulumiTagMarker
import com.pulumi.kotlin.applySuspend
import com.pulumi.kubernetes.admissionregistration.v1.inputs.ValidatingWebhookArgs.builder
import com.pulumi.kubernetes.meta.v1.kotlin.inputs.LabelSelectorArgs
import com.pulumi.kubernetes.meta.v1.kotlin.inputs.LabelSelectorArgsBuilder
import kotlin.Int
import kotlin.String
import kotlin.Suppress
import kotlin.Unit
import kotlin.collections.List
import kotlin.jvm.JvmName

/**
 * ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
 * @property admissionReviewVersions AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
 * @property clientConfig ClientConfig defines how to communicate with the hook. Required
 * @property failurePolicy FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
 * @property matchConditions MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
 * The exact matching logic is (in order):
 *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
 *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
 *   3. If any matchCondition evaluates to an error (but none are FALSE):
 *      - If failurePolicy=Fail, reject the request
 *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
 * @property matchPolicy matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
 * - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
 * - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
 * Defaults to "Equivalent"
 * @property name The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
 * @property namespaceSelector NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
 * For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
 *   "matchExpressions": [
 *     {
 *       "key": "runlevel",
 *       "operator": "NotIn",
 *       "values": [
 *         "0",
 *         "1"
 *       ]
 *     }
 *   ]
 * }
 * If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
 *   "matchExpressions": [
 *     {
 *       "key": "environment",
 *       "operator": "In",
 *       "values": [
 *         "prod",
 *         "staging"
 *       ]
 *     }
 *   ]
 * }
 * See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
 * Default to the empty LabelSelector, which matches everything.
 * @property objectSelector ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
 * @property rules Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
 * @property sideEffects SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
 * @property timeoutSeconds TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
 */
public data class ValidatingWebhookArgs(
    public val admissionReviewVersions: Output>,
    public val clientConfig: Output,
    public val failurePolicy: Output? = null,
    public val matchConditions: Output>? = null,
    public val matchPolicy: Output? = null,
    public val name: Output,
    public val namespaceSelector: Output? = null,
    public val objectSelector: Output? = null,
    public val rules: Output>? = null,
    public val sideEffects: Output,
    public val timeoutSeconds: Output? = null,
) : ConvertibleToJava {
    override fun toJava(): com.pulumi.kubernetes.admissionregistration.v1.inputs.ValidatingWebhookArgs = com.pulumi.kubernetes.admissionregistration.v1.inputs.ValidatingWebhookArgs.builder()
        .admissionReviewVersions(
            admissionReviewVersions.applyValue({ args0 ->
                args0.map({ args0 ->
                    args0
                })
            }),
        )
        .clientConfig(clientConfig.applyValue({ args0 -> args0.let({ args0 -> args0.toJava() }) }))
        .failurePolicy(failurePolicy?.applyValue({ args0 -> args0 }))
        .matchConditions(
            matchConditions?.applyValue({ args0 ->
                args0.map({ args0 ->
                    args0.let({ args0 ->
                        args0.toJava()
                    })
                })
            }),
        )
        .matchPolicy(matchPolicy?.applyValue({ args0 -> args0 }))
        .name(name.applyValue({ args0 -> args0 }))
        .namespaceSelector(namespaceSelector?.applyValue({ args0 -> args0.let({ args0 -> args0.toJava() }) }))
        .objectSelector(objectSelector?.applyValue({ args0 -> args0.let({ args0 -> args0.toJava() }) }))
        .rules(rules?.applyValue({ args0 -> args0.map({ args0 -> args0.let({ args0 -> args0.toJava() }) }) }))
        .sideEffects(sideEffects.applyValue({ args0 -> args0 }))
        .timeoutSeconds(timeoutSeconds?.applyValue({ args0 -> args0 })).build()
}

/**
 * Builder for [ValidatingWebhookArgs].
 */
@PulumiTagMarker
public class ValidatingWebhookArgsBuilder internal constructor() {
    private var admissionReviewVersions: Output>? = null

    private var clientConfig: Output? = null

    private var failurePolicy: Output? = null

    private var matchConditions: Output>? = null

    private var matchPolicy: Output? = null

    private var name: Output? = null

    private var namespaceSelector: Output? = null

    private var objectSelector: Output? = null

    private var rules: Output>? = null

    private var sideEffects: Output? = null

    private var timeoutSeconds: Output? = null

    /**
     * @param value AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
     */
    @JvmName("ektqbwmrlbgxquru")
    public suspend fun admissionReviewVersions(`value`: Output>) {
        this.admissionReviewVersions = value
    }

    @JvmName("eqfcgxomrwxbjstp")
    public suspend fun admissionReviewVersions(vararg values: Output) {
        this.admissionReviewVersions = Output.all(values.asList())
    }

    /**
     * @param values AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
     */
    @JvmName("scdpmkvihqlrfoaf")
    public suspend fun admissionReviewVersions(values: List>) {
        this.admissionReviewVersions = Output.all(values)
    }

    /**
     * @param value ClientConfig defines how to communicate with the hook. Required
     */
    @JvmName("gyvvokmrsvmythen")
    public suspend fun clientConfig(`value`: Output) {
        this.clientConfig = value
    }

    /**
     * @param value FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
     */
    @JvmName("ygtxlogjauhathru")
    public suspend fun failurePolicy(`value`: Output) {
        this.failurePolicy = value
    }

    /**
     * @param value MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("wtphpecsqbolmfdr")
    public suspend fun matchConditions(`value`: Output>) {
        this.matchConditions = value
    }

    @JvmName("ewcpasxvigsfsnwj")
    public suspend fun matchConditions(vararg values: Output) {
        this.matchConditions = Output.all(values.asList())
    }

    /**
     * @param values MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("ldhmmeqdjfcfotyi")
    public suspend fun matchConditions(values: List>) {
        this.matchConditions = Output.all(values)
    }

    /**
     * @param value matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
     * - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
     * - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
     * Defaults to "Equivalent"
     */
    @JvmName("hayhsoddvrwxavoi")
    public suspend fun matchPolicy(`value`: Output) {
        this.matchPolicy = value
    }

    /**
     * @param value The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
     */
    @JvmName("ifsuedkwihejbpvw")
    public suspend fun name(`value`: Output) {
        this.name = value
    }

    /**
     * @param value NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
     * For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "runlevel",
     *       "operator": "NotIn",
     *       "values": [
     *         "0",
     *         "1"
     *       ]
     *     }
     *   ]
     * }
     * If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "environment",
     *       "operator": "In",
     *       "values": [
     *         "prod",
     *         "staging"
     *       ]
     *     }
     *   ]
     * }
     * See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
     * Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("nsppiphtvhidluaf")
    public suspend fun namespaceSelector(`value`: Output) {
        this.namespaceSelector = value
    }

    /**
     * @param value ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("dvxtacwcjfmmcgxs")
    public suspend fun objectSelector(`value`: Output) {
        this.objectSelector = value
    }

    /**
     * @param value Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("tabokctfcxbsijet")
    public suspend fun rules(`value`: Output>) {
        this.rules = value
    }

    @JvmName("fjluosckfyvmohoy")
    public suspend fun rules(vararg values: Output) {
        this.rules = Output.all(values.asList())
    }

    /**
     * @param values Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("whrvpbhcukvbqlha")
    public suspend fun rules(values: List>) {
        this.rules = Output.all(values)
    }

    /**
     * @param value SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
     */
    @JvmName("uahgueckfslodylh")
    public suspend fun sideEffects(`value`: Output) {
        this.sideEffects = value
    }

    /**
     * @param value TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
     */
    @JvmName("dvrhqbslftmuadwp")
    public suspend fun timeoutSeconds(`value`: Output) {
        this.timeoutSeconds = value
    }

    /**
     * @param value AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
     */
    @JvmName("khylqspwswjvibif")
    public suspend fun admissionReviewVersions(`value`: List) {
        val toBeMapped = value
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.admissionReviewVersions = mapped
    }

    /**
     * @param values AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.
     */
    @JvmName("khupfmmqfkdnolno")
    public suspend fun admissionReviewVersions(vararg values: String) {
        val toBeMapped = values.toList()
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.admissionReviewVersions = mapped
    }

    /**
     * @param value ClientConfig defines how to communicate with the hook. Required
     */
    @JvmName("pgnkjiyspcreegip")
    public suspend fun clientConfig(`value`: WebhookClientConfigArgs) {
        val toBeMapped = value
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.clientConfig = mapped
    }

    /**
     * @param argument ClientConfig defines how to communicate with the hook. Required
     */
    @JvmName("lhwvjobuahlhecen")
    public suspend fun clientConfig(argument: suspend WebhookClientConfigArgsBuilder.() -> Unit) {
        val toBeMapped = WebhookClientConfigArgsBuilder().applySuspend { argument() }.build()
        val mapped = of(toBeMapped)
        this.clientConfig = mapped
    }

    /**
     * @param value FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
     */
    @JvmName("xkvrhfuybjnbvyfl")
    public suspend fun failurePolicy(`value`: String?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.failurePolicy = mapped
    }

    /**
     * @param value MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("yewfwousyiscypks")
    public suspend fun matchConditions(`value`: List?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.matchConditions = mapped
    }

    /**
     * @param argument MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("dffqsgdiupynncjm")
    public suspend fun matchConditions(argument: List Unit>) {
        val toBeMapped = argument.toList().map {
            MatchConditionArgsBuilder().applySuspend {
                it()
            }.build()
        }
        val mapped = of(toBeMapped)
        this.matchConditions = mapped
    }

    /**
     * @param argument MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("paqncetfokrexfne")
    public suspend fun matchConditions(vararg argument: suspend MatchConditionArgsBuilder.() -> Unit) {
        val toBeMapped = argument.toList().map {
            MatchConditionArgsBuilder().applySuspend {
                it()
            }.build()
        }
        val mapped = of(toBeMapped)
        this.matchConditions = mapped
    }

    /**
     * @param argument MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("yctgjabcmiwkhrlv")
    public suspend fun matchConditions(argument: suspend MatchConditionArgsBuilder.() -> Unit) {
        val toBeMapped = listOf(MatchConditionArgsBuilder().applySuspend { argument() }.build())
        val mapped = of(toBeMapped)
        this.matchConditions = mapped
    }

    /**
     * @param values MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
     * The exact matching logic is (in order):
     *   1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.
     *   2. If ALL matchConditions evaluate to TRUE, the webhook is called.
     *   3. If any matchCondition evaluates to an error (but none are FALSE):
     *      - If failurePolicy=Fail, reject the request
     *      - If failurePolicy=Ignore, the error is ignored and the webhook is skipped
     */
    @JvmName("yuyvjhvoiywnbhlq")
    public suspend fun matchConditions(vararg values: MatchConditionArgs) {
        val toBeMapped = values.toList()
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.matchConditions = mapped
    }

    /**
     * @param value matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
     * - Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
     * - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
     * Defaults to "Equivalent"
     */
    @JvmName("vjryxqwipumvsecu")
    public suspend fun matchPolicy(`value`: String?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.matchPolicy = mapped
    }

    /**
     * @param value The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.
     */
    @JvmName("vujybusecjbjdnyw")
    public suspend fun name(`value`: String) {
        val toBeMapped = value
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.name = mapped
    }

    /**
     * @param value NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
     * For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "runlevel",
     *       "operator": "NotIn",
     *       "values": [
     *         "0",
     *         "1"
     *       ]
     *     }
     *   ]
     * }
     * If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "environment",
     *       "operator": "In",
     *       "values": [
     *         "prod",
     *         "staging"
     *       ]
     *     }
     *   ]
     * }
     * See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
     * Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("gkwqslhqqfhsiqoq")
    public suspend fun namespaceSelector(`value`: LabelSelectorArgs?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.namespaceSelector = mapped
    }

    /**
     * @param argument NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
     * For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1";  you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "runlevel",
     *       "operator": "NotIn",
     *       "values": [
     *         "0",
     *         "1"
     *       ]
     *     }
     *   ]
     * }
     * If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": {
     *   "matchExpressions": [
     *     {
     *       "key": "environment",
     *       "operator": "In",
     *       "values": [
     *         "prod",
     *         "staging"
     *       ]
     *     }
     *   ]
     * }
     * See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.
     * Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("tymfxljuwdftyjps")
    public suspend fun namespaceSelector(argument: suspend LabelSelectorArgsBuilder.() -> Unit) {
        val toBeMapped = LabelSelectorArgsBuilder().applySuspend { argument() }.build()
        val mapped = of(toBeMapped)
        this.namespaceSelector = mapped
    }

    /**
     * @param value ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("xdfkrdnlfsnfqnqj")
    public suspend fun objectSelector(`value`: LabelSelectorArgs?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.objectSelector = mapped
    }

    /**
     * @param argument ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.
     */
    @JvmName("fuwegqjqguypxcrt")
    public suspend fun objectSelector(argument: suspend LabelSelectorArgsBuilder.() -> Unit) {
        val toBeMapped = LabelSelectorArgsBuilder().applySuspend { argument() }.build()
        val mapped = of(toBeMapped)
        this.objectSelector = mapped
    }

    /**
     * @param value Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("jcsefsikksrpaeik")
    public suspend fun rules(`value`: List?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.rules = mapped
    }

    /**
     * @param argument Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("dxtnqbmpvyegkroa")
    public suspend fun rules(argument: List Unit>) {
        val toBeMapped = argument.toList().map {
            RuleWithOperationsArgsBuilder().applySuspend {
                it()
            }.build()
        }
        val mapped = of(toBeMapped)
        this.rules = mapped
    }

    /**
     * @param argument Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("mxieoarmuerkxrxv")
    public suspend fun rules(vararg argument: suspend RuleWithOperationsArgsBuilder.() -> Unit) {
        val toBeMapped = argument.toList().map {
            RuleWithOperationsArgsBuilder().applySuspend {
                it()
            }.build()
        }
        val mapped = of(toBeMapped)
        this.rules = mapped
    }

    /**
     * @param argument Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("ifuefyblnofqfmjl")
    public suspend fun rules(argument: suspend RuleWithOperationsArgsBuilder.() -> Unit) {
        val toBeMapped = listOf(RuleWithOperationsArgsBuilder().applySuspend { argument() }.build())
        val mapped = of(toBeMapped)
        this.rules = mapped
    }

    /**
     * @param values Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
     */
    @JvmName("ijqpyqesptgnfufd")
    public suspend fun rules(vararg values: RuleWithOperationsArgs) {
        val toBeMapped = values.toList()
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.rules = mapped
    }

    /**
     * @param value SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.
     */
    @JvmName("nypouhsukoejdxns")
    public suspend fun sideEffects(`value`: String) {
        val toBeMapped = value
        val mapped = toBeMapped.let({ args0 -> of(args0) })
        this.sideEffects = mapped
    }

    /**
     * @param value TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.
     */
    @JvmName("licbamrfmejxnxyh")
    public suspend fun timeoutSeconds(`value`: Int?) {
        val toBeMapped = value
        val mapped = toBeMapped?.let({ args0 -> of(args0) })
        this.timeoutSeconds = mapped
    }

    internal fun build(): ValidatingWebhookArgs = ValidatingWebhookArgs(
        admissionReviewVersions = admissionReviewVersions ?: throw
            PulumiNullFieldException("admissionReviewVersions"),
        clientConfig = clientConfig ?: throw PulumiNullFieldException("clientConfig"),
        failurePolicy = failurePolicy,
        matchConditions = matchConditions,
        matchPolicy = matchPolicy,
        name = name ?: throw PulumiNullFieldException("name"),
        namespaceSelector = namespaceSelector,
        objectSelector = objectSelector,
        rules = rules,
        sideEffects = sideEffects ?: throw PulumiNullFieldException("sideEffects"),
        timeoutSeconds = timeoutSeconds,
    )
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy