Stay organized with collections
Save and categorize content based on your preferences.
All organization policies have a match field, which defines the objects it
applies to. All conditions specified must be matched before an object is
in-scope affected by a policy.
# excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names.# If defined, a constraint only applies to resources not in a listed namespace.# ExcludedNamespaces also supports a prefix or suffix based glob. For example,# `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`,# and `excludedNamespaces: [*-system]` matches both `kube-system` and# `gatekeeper-system`.excludedNamespaces:# <list item: string>: A string that supports globbing at its front or end.# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will# match "kube-system" or "gatekeeper-system". The asterisk is required for# wildcard matching.-<string>
kinds:# <list item: object>: Kinds accepts a list of objects with apiGroups and# kinds fields that list the groups/kinds of objects to which the mutation# will apply. If multiple groups/kinds objects are specified, only one match# is needed for the resource to be in scope.-# apiGroups <array>: APIGroups is the API groups the resources belong to.# '*' is all groups. If '*' is present, the length of the slice must be# one. Required.apiGroups:-<string>
kinds:-<string>
# labelSelector <object>: LabelSelector is the combination of two optional# fields: `matchLabels` and `matchExpressions`. These two fields provide# different methods of selecting or excluding k8s objects based on the label# keys and values included in object metadata. All selection expressions from# both sections are ANDed to determine if an object meets the cumulative# requirements of the selector.labelSelector:# matchExpressions <array>: matchExpressions is a list of label selector# requirements. The requirements are ANDed.matchExpressions:# <list item: object>: A label selector requirement is a selector that# contains values, a key, and an operator that relates the key and values.-# key <string>: key is the label key that the selector applies to.key:<string>
# operator <string>: operator represents a key's relationship to a set# of values. Valid operators are In, NotIn, Exists and DoesNotExist.operator:<string>
# values <array>: values is an array of string values. If the operator# is In or NotIn, the values array must be non-empty. If the operator# is Exists or DoesNotExist, the values array must be empty. This array# is replaced during a strategic merge patch.values:-<string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single# {key,value} in the matchLabels map is equivalent to an element of# matchExpressions, whose key field is "key", the operator is "In", and the# values array contains only "value". The requirements are ANDed.matchLabels:[key]:<string>
# name <string>: Name is the name of an object. If defined, it will match# against objects with the specified name. Name also supports a prefix or# suffix glob. For example, `name: pod-*` would match both `pod-a` and# `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.name:<string>
# namespaceSelector <object>: NamespaceSelector is a label selector against an# object's containing namespace or the object itself, if the object is a# namespace.namespaceSelector:# matchExpressions <array>: matchExpressions is a list of label selector# requirements. The requirements are ANDed.matchExpressions:# <list item: object>: A label selector requirement is a selector that# contains values, a key, and an operator that relates the key and values.-# key <string>: key is the label key that the selector applies to.key:<string>
# operator <string>: operator represents a key's relationship to a set# of values. Valid operators are In, NotIn, Exists and DoesNotExist.operator:<string>
# values <array>: values is an array of string values. If the operator# is In or NotIn, the values array must be non-empty. If the operator# is Exists or DoesNotExist, the values array must be empty. This array# is replaced during a strategic merge patch.values:-<string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single# {key,value} in the matchLabels map is equivalent to an element of# matchExpressions, whose key field is "key", the operator is "In", and the# values array contains only "value". The requirements are ANDed.matchLabels:[key]:<string>
# namespaces <array>: Namespaces is a list of namespace names. If defined, a# constraint only applies to resources in a listed namespace. Namespaces also# supports a prefix or suffix based glob. For example, `namespaces: [kube-*]`# matches both `kube-system` and `kube-public`, and `namespaces: [*-system]`# matches both `kube-system` and `gatekeeper-system`.namespaces:# <list item: string>: A string that supports globbing at its front or end.# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will# match "kube-system" or "gatekeeper-system". The asterisk is required for# wildcard matching.-<string>
# scope <string>: Scope determines if cluster-scoped and/or namespaced-scoped# resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to# `*`)scope:<string>
# source <string>: Source determines whether generated or original resources# are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A# value of `Generated` will only match generated resources, while `Original`# will only match regular resources.# Allowed Values: All, Generated, Originalsource:<string>
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eOrganization policies utilize a \u003ccode\u003ematch\u003c/code\u003e field to define the target objects, and all conditions within this field must be met for a policy to affect an object.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eexcludedNamespaces\u003c/code\u003e allows specifying namespaces to exclude from a policy's scope, supporting prefix or suffix-based globbing for flexible matching.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003ekinds\u003c/code\u003e defines the API groups and kinds of objects a policy applies to, with resources needing to match only one specified group/kind for policy enforcement.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003elabelSelector\u003c/code\u003e enables selecting or excluding objects based on label keys and values using \u003ccode\u003ematchLabels\u003c/code\u003e and \u003ccode\u003ematchExpressions\u003c/code\u003e, where all expressions must be met.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003enamespaces\u003c/code\u003e allows you to specify the namespaces to which the constraint will apply to, while also supporting globbing for flexible matching.\u003c/p\u003e\n"]]],[],null,["# Organization policy match section\n\nAll organization policies have a `match` field, which defines the objects it\napplies to. All conditions specified must be matched before an object is\nin-scope affected by a policy. \n\n # excludedNamespaces \u003carray\u003e: ExcludedNamespaces is a list of namespace names.\n # If defined, a constraint only applies to resources not in a listed namespace.\n # ExcludedNamespaces also supports a prefix or suffix based glob. For example,\n # `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`,\n # and `excludedNamespaces: [*-system]` matches both `kube-system` and\n # `gatekeeper-system`.\n excludedNamespaces:\n # \u003clist item: string\u003e: A string that supports globbing at its front or end.\n # Ex: \"kube-*\" will match \"kube-system\" or \"kube-public\", \"*-system\" will\n # match \"kube-system\" or \"gatekeeper-system\". The asterisk is required for\n # wildcard matching.\n - \u003cstring\u003e\n kinds:\n # \u003clist item: object\u003e: Kinds accepts a list of objects with apiGroups and\n # kinds fields that list the groups/kinds of objects to which the mutation\n # will apply. If multiple groups/kinds objects are specified, only one match\n # is needed for the resource to be in scope.\n - # apiGroups \u003carray\u003e: APIGroups is the API groups the resources belong to.\n # '*' is all groups. If '*' is present, the length of the slice must be\n # one. Required.\n apiGroups:\n - \u003cstring\u003e\n kinds:\n - \u003cstring\u003e\n # labelSelector \u003cobject\u003e: LabelSelector is the combination of two optional\n # fields: `matchLabels` and `matchExpressions`. These two fields provide\n # different methods of selecting or excluding k8s objects based on the label\n # keys and values included in object metadata. All selection expressions from\n # both sections are ANDed to determine if an object meets the cumulative\n # requirements of the selector.\n labelSelector:\n # matchExpressions \u003carray\u003e: matchExpressions is a list of label selector\n # requirements. The requirements are ANDed.\n matchExpressions:\n # \u003clist item: object\u003e: A label selector requirement is a selector that\n # contains values, a key, and an operator that relates the key and values.\n - # key \u003cstring\u003e: key is the label key that the selector applies to.\n key: \u003cstring\u003e\n # operator \u003cstring\u003e: operator represents a key's relationship to a set\n # of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n operator: \u003cstring\u003e\n # values \u003carray\u003e: values is an array of string values. If the operator\n # is In or NotIn, the values array must be non-empty. If the operator\n # is Exists or DoesNotExist, the values array must be empty. This array\n # is replaced during a strategic merge patch.\n values:\n - \u003cstring\u003e\n # matchLabels \u003cobject\u003e: matchLabels is a map of {key,value} pairs. A single\n # {key,value} in the matchLabels map is equivalent to an element of\n # matchExpressions, whose key field is \"key\", the operator is \"In\", and the\n # values array contains only \"value\". The requirements are ANDed.\n matchLabels:\n [key]: \u003cstring\u003e\n # name \u003cstring\u003e: Name is the name of an object. If defined, it will match\n # against objects with the specified name. Name also supports a prefix or\n # suffix glob. For example, `name: pod-*` would match both `pod-a` and\n # `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.\n name: \u003cstring\u003e\n # namespaceSelector \u003cobject\u003e: NamespaceSelector is a label selector against an\n # object's containing namespace or the object itself, if the object is a\n # namespace.\n namespaceSelector:\n # matchExpressions \u003carray\u003e: matchExpressions is a list of label selector\n # requirements. The requirements are ANDed.\n matchExpressions:\n # \u003clist item: object\u003e: A label selector requirement is a selector that\n # contains values, a key, and an operator that relates the key and values.\n - # key \u003cstring\u003e: key is the label key that the selector applies to.\n key: \u003cstring\u003e\n # operator \u003cstring\u003e: operator represents a key's relationship to a set\n # of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n operator: \u003cstring\u003e\n # values \u003carray\u003e: values is an array of string values. If the operator\n # is In or NotIn, the values array must be non-empty. If the operator\n # is Exists or DoesNotExist, the values array must be empty. This array\n # is replaced during a strategic merge patch.\n values:\n - \u003cstring\u003e\n # matchLabels \u003cobject\u003e: matchLabels is a map of {key,value} pairs. A single\n # {key,value} in the matchLabels map is equivalent to an element of\n # matchExpressions, whose key field is \"key\", the operator is \"In\", and the\n # values array contains only \"value\". The requirements are ANDed.\n matchLabels:\n [key]: \u003cstring\u003e\n # namespaces \u003carray\u003e: Namespaces is a list of namespace names. If defined, a\n # constraint only applies to resources in a listed namespace. Namespaces also\n # supports a prefix or suffix based glob. For example, `namespaces: [kube-*]`\n # matches both `kube-system` and `kube-public`, and `namespaces: [*-system]`\n # matches both `kube-system` and `gatekeeper-system`.\n namespaces:\n # \u003clist item: string\u003e: A string that supports globbing at its front or end.\n # Ex: \"kube-*\" will match \"kube-system\" or \"kube-public\", \"*-system\" will\n # match \"kube-system\" or \"gatekeeper-system\". The asterisk is required for\n # wildcard matching.\n - \u003cstring\u003e\n # scope \u003cstring\u003e: Scope determines if cluster-scoped and/or namespaced-scoped\n # resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to\n # `*`)\n scope: \u003cstring\u003e\n # source \u003cstring\u003e: Source determines whether generated or original resources\n # are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A\n # value of `Generated` will only match generated resources, while `Original`\n # will only match regular resources.\n # Allowed Values: All, Generated, Original\n source: \u003cstring\u003e"]]
