모든 조직 정책에는 적용되는 객체를 정의하는 match 필드가 있습니다. 정책의 영향을 받는 범위 내에 객체가 있기 전에 지정된 모든 조건이 일치해야 합니다.
# excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names.
# If defined, a constraint only applies to resources not in a listed namespace.
# ExcludedNamespaces also supports a prefix or suffix based glob.  For example,
# `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`,
# and `excludedNamespaces: [*-system]` matches both `kube-system` and
# `gatekeeper-system`.
excludedNamespaces:
  # <list item: string>: A string that supports globbing at its front or end.
  # Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
  # match "kube-system" or "gatekeeper-system".  The asterisk is required for
  # wildcard matching.
  - <string>
kinds:
  # <list item: object>: Kinds accepts a list of objects with apiGroups and
  # kinds fields that list the groups/kinds of objects to which the mutation
  # will apply. If multiple groups/kinds objects are specified, only one match
  # is needed for the resource to be in scope.
  - # apiGroups <array>: APIGroups is the API groups the resources belong to.
    # '*' is all groups. If '*' is present, the length of the slice must be
    # one. Required.
    apiGroups:
      - <string>
    kinds:
      - <string>
# labelSelector <object>: LabelSelector is the combination of two optional
# fields: `matchLabels` and `matchExpressions`.  These two fields provide
# different methods of selecting or excluding k8s objects based on the label
# keys and values included in object metadata.  All selection expressions from
# both sections are ANDed to determine if an object meets the cumulative
# requirements of the selector.
labelSelector:
  # matchExpressions <array>: matchExpressions is a list of label selector
  # requirements. The requirements are ANDed.
  matchExpressions:
    # <list item: object>: A label selector requirement is a selector that
    # contains values, a key, and an operator that relates the key and values.
    - # key <string>: key is the label key that the selector applies to.
      key: <string>
      # operator <string>: operator represents a key's relationship to a set
      # of values. Valid operators are In, NotIn, Exists and DoesNotExist.
      operator: <string>
      # values <array>: values is an array of string values. If the operator
      # is In or NotIn, the values array must be non-empty. If the operator
      # is Exists or DoesNotExist, the values array must be empty. This array
      # is replaced during a strategic merge patch.
      values:
        - <string>
  # matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
  # {key,value} in the matchLabels map is equivalent to an element of
  # matchExpressions, whose key field is "key", the operator is "In", and the
  # values array contains only "value". The requirements are ANDed.
  matchLabels:
    [key]: <string>
# name <string>: Name is the name of an object.  If defined, it will match
# against objects with the specified name.  Name also supports a prefix or
# suffix glob.  For example, `name: pod-*` would match both `pod-a` and
# `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.
name: <string>
# namespaceSelector <object>: NamespaceSelector is a label selector against an
# object's containing namespace or the object itself, if the object is a
# namespace.
namespaceSelector:
  # matchExpressions <array>: matchExpressions is a list of label selector
  # requirements. The requirements are ANDed.
  matchExpressions:
    # <list item: object>: A label selector requirement is a selector that
    # contains values, a key, and an operator that relates the key and values.
    - # key <string>: key is the label key that the selector applies to.
      key: <string>
      # operator <string>: operator represents a key's relationship to a set
      # of values. Valid operators are In, NotIn, Exists and DoesNotExist.
      operator: <string>
      # values <array>: values is an array of string values. If the operator
      # is In or NotIn, the values array must be non-empty. If the operator
      # is Exists or DoesNotExist, the values array must be empty. This array
      # is replaced during a strategic merge patch.
      values:
        - <string>
  # matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
  # {key,value} in the matchLabels map is equivalent to an element of
  # matchExpressions, whose key field is "key", the operator is "In", and the
  # values array contains only "value". The requirements are ANDed.
  matchLabels:
    [key]: <string>
# namespaces <array>: Namespaces is a list of namespace names. If defined, a
# constraint only applies to resources in a listed namespace.  Namespaces also
# supports a prefix or suffix based glob.  For example, `namespaces: [kube-*]`
# matches both `kube-system` and `kube-public`, and `namespaces: [*-system]`
# matches both `kube-system` and `gatekeeper-system`.
namespaces:
  # <list item: string>: A string that supports globbing at its front or end.
  # Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
  # match "kube-system" or "gatekeeper-system".  The asterisk is required for
  # wildcard matching.
  - <string>
# scope <string>: Scope determines if cluster-scoped and/or namespaced-scoped
# resources are matched.  Accepts `*`, `Cluster`, or `Namespaced`. (defaults to
# `*`)
scope: <string>
# source <string>: Source determines whether generated or original resources
# are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A
# value of `Generated` will only match generated resources, while `Original`
# will only match regular resources.
# Allowed Values: All, Generated, Original
source: <string>