This is unreleased documentation for Admission Controller 1.36-dev.

Host capabilities call reference

Each host capability is identified by a path string. The following paths can be gated in spec.namespacedPoliciesCapabilities:

Category Path Description

Category	Path	Description
OCI	`oci/v1/verify`	Verify an OCI artifact signature (v1)
OCI	`oci/v2/verify`	Verify an OCI artifact signature (v2)
OCI	`oci/v1/manifest_digest`	Fetch an OCI manifest digest
OCI	`oci/v1/oci_manifest`	Fetch an OCI manifest
OCI	`oci/v1/oci_manifest_config`	Fetch an OCI manifest configuration
Kubernetes	`kubernetes/can_i`	Perform a SubjectAccessReview check
Net	`net/v1/dns_lookup_host`	Resolve a host name via DNS
Crypto	`crypto/v1/is_certificate_trusted`	Verify certificate trust chain

OCI

oci/v1/verify

Verify an OCI artifact signature (v1)

OCI

oci/v2/verify

Verify an OCI artifact signature (v2)

OCI

oci/v1/manifest_digest

Fetch an OCI manifest digest

OCI

oci/v1/oci_manifest

Fetch an OCI manifest

OCI

oci/v1/oci_manifest_config

Fetch an OCI manifest configuration

Kubernetes

kubernetes/can_i

Perform a SubjectAccessReview check

Net

net/v1/dns_lookup_host

Resolve a host name via DNS

Crypto

crypto/v1/is_certificate_trusted

Verify certificate trust chain

The kubernetes/list_resources_by_namespace, kubernetes/list_resources_all, and kubernetes/get_resource calls aren’t applicable to namespaced policies because those policies have no spec.contextAwareResources field. They’re only relevant for ClusterAdmissionPolicy resources, which always receive full host capability access.

The tracing/log call emits a log entry and is always available.