docs: add schemas (#214)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Nov 8, 2024 · 4ed9714 · 4ed9714
1 parent 26bea83
commit 4ed9714
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 1 deletion.
diff --git a/.manifests/policies/demo-policy.example.com.yaml b/.manifests/policies/demo-policy.example.com.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/kyverno-envoy-plugin/main/.schemas/json/authorizationpolicy-envoy-v1alpha1.json
 apiVersion: envoy.kyverno.io/v1alpha1
 kind: AuthorizationPolicy
 metadata:

diff --git a/website/docs/policies/authorization-rules.md b/website/docs/policies/authorization-rules.md
@@ -46,7 +46,9 @@ In this simple rule:
     Creates a `CheckResponse` to deny the request with status code `403`
 
 However, we can do a lot more with Envoy's `CheckResponse`.
-Envoy can add or remove headers, query parameters, and even change the response body. (TODO)
+Envoy can add or remove headers, query parameters, register dynamic metadata passed along the filters chain, and even change the response body. (TODO)
+
+![dynamic metadata](../schemas/dynamic-metadata.png)
 
 ### Multiple rules
 

diff --git a/website/docs/quick-start/index.md b/website/docs/quick-start/index.md
@@ -10,6 +10,8 @@ It allows you to enforce Kyverno policies on incoming and outgoing traffic in a
 
 This functionality allows authorization decisions to be offloaded to an external service, which can access the request context. The request context includes details such as the origin and destination of the network activity, as well as specifics of the network request (e.g., HTTP request). This information enables the external service to make a well-informed decision regarding the authorization of the incoming request processed by Envoy.
 
+![overview](../schemas/overview.png)
+
 ## What is the Kyverno Envoy Plugin?
 
 The [Kyverno Envoy Plugin](https://github.com/kyverno/kyverno-envoy-plugin) is gRPC server that implements [Envoy External Authorization API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html).
@@ -20,6 +22,8 @@ This allows you to enforce Kyverno policies on incoming and outgoing traffic in
 
 In addition to the Envoy sidecar, your application pods will include a Kyverno Authz Server component, either as a sidecar or as a separate pod. When Envoy receives an API request intended for your microservice, it consults the Kyverno Authz Server to determine whether the request should be permitted or not.
 
+![filters chain](../schemas/filters-chain.png)
+
 Performing policy evaluations locally with Envoy is advantageous, as it eliminates the need for an additional network hop for authorization checks, thus enhancing both performance and availability.
 
 !!!info

diff --git a/website/docs/schemas/dynamic-metadata.png b/website/docs/schemas/dynamic-metadata.png
diff --git a/website/docs/schemas/filters-chain.png b/website/docs/schemas/filters-chain.png
diff --git a/website/docs/schemas/overview.png b/website/docs/schemas/overview.png