Custom Resource Definitions (CRD)

apiVersion string

policies.kubewarden.io/v1

kind string

AdmissionPolicy

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec AdmissionPolicySpec

apiVersion string

policies.kubewarden.io/v1

kind string

AdmissionPolicyGroup

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec AdmissionPolicyGroupSpec

apiVersion string

policies.kubewarden.io/v1

kind string

AdmissionPolicyGroupList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items AdmissionPolicyGroup array

PolicyGroupSpec PolicyGroupSpec

apiVersion string

policies.kubewarden.io/v1

kind string

AdmissionPolicyList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items AdmissionPolicy array

PolicySpec PolicySpec

apiVersion string

policies.kubewarden.io/v1

kind string

ClusterAdmissionPolicy

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ClusterAdmissionPolicySpec

apiVersion string

policies.kubewarden.io/v1

kind string

ClusterAdmissionPolicyGroup

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ClusterAdmissionPolicyGroupSpec

apiVersion string

policies.kubewarden.io/v1

kind string

ClusterAdmissionPolicyGroupList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items ClusterAdmissionPolicyGroup array

PolicyGroupSpec PolicyGroupSpec

namespaceSelector LabelSelector

NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
<br/><br/>
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "runlevel",<br/>
      "operator": "NotIn",<br/>
      "values": [<br/>
        "0",<br/>
        "1"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "environment",<br/>
      "operator": "In",<br/>
      "values": [<br/>
        "prod",<br/>
        "staging"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.
<br/><br/>
Default to the empty LabelSelector, which matches everything.

apiVersion string

policies.kubewarden.io/v1

kind string

ClusterAdmissionPolicyList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items ClusterAdmissionPolicy array

PolicySpec PolicySpec

namespaceSelector LabelSelector

NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
<br/><br/>
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "runlevel",<br/>
      "operator": "NotIn",<br/>
      "values": [<br/>
        "0",<br/>
        "1"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "environment",<br/>
      "operator": "In",<br/>
      "values": [<br/>
        "prod",<br/>
        "staging"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.
<br/><br/>
Default to the empty LabelSelector, which matches everything.

contextAwareResources ContextAwareResource array

List of Kubernetes resources the policy is allowed to access at evaluation time.
Access to these resources is done using the ServiceAccount of the PolicyServer
the policy is assigned to.

apiVersion string

apiVersion of the resource (v1 for core group, groupName/groupVersions for other).

kind string

Singular PascalCase name of the resource

module string

Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).
If prefix is missing, it will default to registry:// and use that
internally.

Required: {}

settings RawExtension

Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false

contextAwareResources ContextAwareResource array

List of Kubernetes resources the policy is allowed to access at evaluation time.
Access to these resources is done using the ServiceAccount of the PolicyServer
the policy is assigned to.

policyServer string

PolicyServer identifies an existing PolicyServer resource.

default

mode PolicyMode

Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it’s empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.

protect

Enum: [protect monitor]

rules RuleWithOperations array

Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.

failurePolicy FailurePolicyType

FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"

backgroundAudit boolean

BackgroundAudit indicates whether a policy should be used or skipped when
performing audit checks. If false, the policy cannot produce meaningful
evaluation results during audit checks and will be skipped.
The default is "true".

true

matchPolicy MatchPolicyType

matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
<ul>
<li>
Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
</li>
<li>
Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
</li>
</ul>
Defaults to "Equivalent"

matchConditions MatchCondition array

MatchConditions are a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the params handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped.
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.

objectSelector LabelSelector

ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.

sideEffects SideEffectClass

SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.

timeoutSeconds integer

TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.

10

expression string

Expression is the evaluation expression to accept or reject the
admission request under evaluation. This field uses CEL as the
expression language for the policy groups. Each policy in the group
will be represented as a function call in the expression with the
same name as the policy defined in the group. The expression field
should be a valid CEL expression that evaluates to a boolean value.
If the expression evaluates to true, the group policy will be
considered as accepted, otherwise, it will be considered as
rejected. This expression allows grouping policies calls and perform
logical operations on the results of the policies. See Kubewarden
documentation to learn about all the features available.

Required: {}

message string

Message is used to specify the message that will be returned when
the policy group is rejected. The specific policy results will be
returned in the warning field of the response.

Required: {}

policies PolicyGroupMembers

Policies is a list of policies that are part of the group that will
be available to be called in the evaluation expression field.
Each policy in the group should be a Kubewarden policy.

Required: {}

apiVersion string

policies.kubewarden.io/v1

kind string

PolicyServer

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec PolicyServerSpec

apiVersion string

policies.kubewarden.io/v1

kind string

PolicyServerList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items PolicyServer array

container SecurityContext

securityContext definition to be used in the policy server container

pod PodSecurityContext

podSecurityContext definition to be used in the policy server Pod

image string

Docker image name.

replicas integer

Replicas is the number of desired replicas.

minAvailable IntOrString

Number of policy server replicas that must be still available after the
eviction. The value can be an absolute number or a percentage. Only one of
MinAvailable or Max MaxUnavailable can be set.

maxUnavailable IntOrString

Number of policy server replicas that can be unavailable after the
eviction. The value can be an absolute number or a percentage. Only one of
MinAvailable or Max MaxUnavailable can be set.

annotations object (keys:string, values:string)

Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: http://kubernetes.io/docs/user-guide/annotations

env EnvVar array

List of environment variables to set in the container.

serviceAccountName string

Name of the service account associated with the policy server.
Namespace service account will be used if not specified.

imagePullSecret string

Name of ImagePullSecret secret in the same namespace, used for pulling
policies from repositories.

insecureSources string array

List of insecure URIs to policy repositories. The insecureSources
content format corresponds with the contents of the insecure_sources
key in sources.yaml. Reference for sources.yaml is found in the
Kubewarden documentation in the reference section.

sourceAuthorities object (keys:string, values:string array)

Key value map of registry URIs endpoints to a list of their associated
PEM encoded certificate authorities that have to be used to verify the
certificate used by the endpoint. The sourceAuthorities content format
corresponds with the contents of the source_authorities key in
sources.yaml. Reference for sources.yaml is found in the Kubewarden
documentation in the reference section.

verificationConfig string

Name of VerificationConfig configmap in the same namespace, containing
Sigstore verification configuration. The configuration must be under a
key named verification-config in the Configmap.

securityContexts PolicyServerSecurity

Security configuration to be used in the Policy Server workload.
The field allows different configurations for the pod and containers.
If set for the containers, this configuration will not be used in
containers added by other controllers (e.g. telemetry sidecars)

affinity Affinity

Affinity rules for the associated Policy Server pods.

limits ResourceList

Limits describes the maximum amount of compute resources allowed.

requests ResourceList

Requests describes the minimum amount of compute resources required.
If Request is omitted for, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value

tolerations Toleration array

Tolerations describe the policy server pod’s tolerations. It can be
used to ensure that the policy server pod is not scheduled onto a
node with a taint.

policyServer string

PolicyServer identifies an existing PolicyServer resource.

default

mode PolicyMode

Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it’s empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.

protect

Enum: [protect monitor]

module string

Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).
If prefix is missing, it will default to registry:// and use that
internally.

Required: {}

settings RawExtension

Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false

rules RuleWithOperations array

Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.

failurePolicy FailurePolicyType

FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"

mutating boolean

Mutating indicates whether a policy has the ability to mutate
incoming requests or not.

backgroundAudit boolean

BackgroundAudit indicates whether a policy should be used or skipped when
performing audit checks. If false, the policy cannot produce meaningful
evaluation results during audit checks and will be skipped.
The default is "true".

true

matchPolicy MatchPolicyType

matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
<ul>
<li>
Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
</li>
<li>
Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
</li>
</ul>
Defaults to "Equivalent"

matchConditions MatchCondition array

MatchConditions are a list of conditions that must be met for a request to be
validated. Match conditions filter requests that have already been matched by
the rules, namespaceSelector, and objectSelector. An empty list of
matchConditions matches all requests. There are a maximum of 64 match
conditions allowed. If a parameter object is provided, it can be accessed via
the params handle in the same manner as validation expressions. The exact
matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,
the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy
is evaluated. 3. If any matchCondition evaluates to an error (but none are
FALSE): - If failurePolicy=Fail, reject the request - If
failurePolicy=Ignore, the policy is skipped.
Only available if the feature gate AdmissionWebhookMatchConditions is enabled.

objectSelector LabelSelector

ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.

sideEffects SideEffectClass

SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.

timeoutSeconds integer

TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.

10

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

AdmissionPolicy

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec AdmissionPolicySpec

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

AdmissionPolicyList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items AdmissionPolicy array

PolicySpec PolicySpec

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

ClusterAdmissionPolicy

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec ClusterAdmissionPolicySpec

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

ClusterAdmissionPolicyList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items ClusterAdmissionPolicy array

PolicySpec PolicySpec

namespaceSelector LabelSelector

NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
<br/><br/>
For example, to run the webhook on any objects whose namespace is not
associated with "runlevel" of "0" or "1"; you will set the selector as
follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "runlevel",<br/>
      "operator": "NotIn",<br/>
      "values": [<br/>
        "0",<br/>
        "1"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
If instead you want to only run the webhook on any objects whose
namespace is associated with the "environment" of "prod" or "staging";
you will set the selector as follows:
<pre>
"namespaceSelector": \{<br/>
  "matchExpressions": [<br/>
    \{<br/>
      "key": "environment",<br/>
      "operator": "In",<br/>
      "values": [<br/>
        "prod",<br/>
        "staging"<br/>
      ]<br/>
    \}<br/>
  ]<br/>
\}
</pre>
See
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors.
<br/><br/>
Default to the empty LabelSelector, which matches everything.

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

PolicyServer

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

spec PolicyServerSpec

apiVersion string

policies.kubewarden.io/v1alpha2

kind string

PolicyServerList

metadata ListMeta

Refer to Kubernetes API documentation for fields of metadata.

items PolicyServer array

image string

Docker image name.

replicas integer

Replicas is the number of desired replicas.

annotations object (keys:string, values:string)

Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: http://kubernetes.io/docs/user-guide/annotations

env EnvVar array

List of environment variables to set in the container.

serviceAccountName string

Name of the service account associated with the policy server.
Namespace service account will be used if not specified.

imagePullSecret string

Name of ImagePullSecret secret in the same namespace, used for pulling
policies from repositories.

insecureSources string array

List of insecure URIs to policy repositories. The insecureSources
content format corresponds with the contents of the insecure_sources
key in sources.yaml. Reference for sources.yaml is found in the
Kubewarden documentation in the reference section.

sourceAuthorities object (keys:string, values:string array)

Key value map of registry URIs endpoints to a list of their associated
PEM encoded certificate authorities that have to be used to verify the
certificate used by the endpoint. The sourceAuthorities content format
corresponds with the contents of the source_authorities key in
sources.yaml. Reference for sources.yaml is found in the Kubewarden
documentation in the reference section.

verificationConfig string

Name of VerificationConfig configmap in the same namespace, containing
Sigstore verification configuration. The configuration must be under a
key named verification-config in the Configmap.

policyServer string

PolicyServer identifies an existing PolicyServer resource.

default

module string

Module is the location of the WASM module to be loaded. Can be a
local file (file://), a remote file served by an HTTP server
(http://, https://), or an artifact served by an OCI-compatible
registry (registry://).

Required: {}

mode PolicyMode

Mode defines the execution mode of this policy. Can be set to
either "protect" or "monitor". If it’s empty, it is defaulted to
"protect".
Transitioning this setting from "monitor" to "protect" is
allowed, but is disallowed to transition from "protect" to
"monitor". To perform this transition, the policy should be
recreated in "monitor" mode instead.

protect

Enum: [protect monitor]

settings RawExtension

Settings is a free-form object that contains the policy configuration
values.
x-kubernetes-embedded-resource: false

rules RuleWithOperations array

Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.

failurePolicy FailurePolicyType

FailurePolicy defines how unrecognized errors and timeout errors from the
policy are handled. Allowed values are "Ignore" or "Fail".
* "Ignore" means that an error calling the webhook is ignored and the API
request is allowed to continue.
* "Fail" means that an error calling the webhook causes the admission to
fail and the API request to be rejected.
The default behaviour is "Fail"

mutating boolean

Mutating indicates whether a policy has the ability to mutate
incoming requests or not.

matchPolicy MatchPolicyType

matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
<ul>
<li>
Exact: match a request only if it exactly matches a specified rule.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
</li>
<li>
Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"],
a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
</li>
</ul>
Defaults to "Equivalent"

objectSelector LabelSelector

ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector. A null
object (oldObject in the case of create, or newObject in the case of
delete) or an object that cannot have labels (like a
DeploymentRollback or a PodProxyOptions object) is not considered to
match.
Use the object selector only if the webhook is opt-in, because end
users may skip the admission webhook by setting the labels.
Default to the empty LabelSelector, which matches everything.

sideEffects SideEffectClass

SideEffects states whether this webhook has side effects.
Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).
Webhooks with side effects MUST implement a reconciliation system, since a request may be
rejected by a future step in the admission change and the side effects therefore need to be undone.
Requests with the dryRun attribute will be auto-rejected if they match a webhook with
sideEffects == Unknown or Some.

timeoutSeconds integer

TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
the webhook call will be ignored or the API call will fail based on the
failure policy.
The timeout value must be between 1 and 30 seconds.
Default to 10 seconds.

10