docs(api): add application api reference and openapi schema

[tossmilestone]

Added a comprehensive guide for Kyverno policies covering:

• Validation (disallow latest tags)
• Mutation (batch inject labels and restart policy)
• Generation (namespace isolation via NetworkPolicy)

Summary by CodeRabbit

• Documentation
  • Added comprehensive Application APIs documentation covering lifecycle operations (rollback, start, stop actions) and management operations for snapshots and exports
  • Included documentation for application query capabilities, resource topology retrieval, and container log access
  • Published complete OpenAPI 3.0.0 specification detailing all application management endpoints and data models

[coderabbitai]

Walkthrough

Introduces new documentation pages and an OpenAPI specification for Alauda Container Platform Application APIs, covering lifecycle management, query operations, and management workflows with detailed endpoint definitions and schema specifications.

Changes

Cohort / File(s)	Summary
Application API Documentation docs/en/apis/advanced_apis/application/index.mdx, docs/en/apis/advanced_apis/application/lifecycle.mdx, docs/en/apis/advanced_apis/application/management.mdx, docs/en/apis/advanced_apis/application/query.mdx	New MDX documentation pages for Application APIs with i18n frontmatter covering index overview, lifecycle operations (rollback, start, stop), management operations (snapshots, exports, task execution), and query operations (status, resources, topology).
OpenAPI Specification docs/shared/openapis/application.v1.json	New OpenAPI 3.0.0 schema defining secured endpoints under /acp/v1 for application resource management, including CRUD operations, action endpoints (rollback, start, stop), snapshots, address retrieval, resource search, topology queries, cronjob execution, and container logs, with comprehensive schema definitions for Application, ApplicationSpec, ApplicationStatus, and ObjectMeta models.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• chinameok
• fanzy618

Poem

🐰 Hoppy docs to mark the day,
APIs mapped in every way,
Applications dance and start anew,
Queries answered, specs so true,
The rabbit hops with specs in hand! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change—adding application API reference documentation and OpenAPI schema files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/application-api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md (1)

211-214: ⚠️ Potential issue | 🔴 Critical

Fix potential markdown/render break at the end of the document.

The tail of the file appears to include a stray standalone line/number (214) and/or mismatched closing markup (there’s an odd closing fence right after the “More Policy Examples” link). This can break page rendering or leave an unterminated code block on GitHub.

✅ Proposed fix

-For a comprehensive library of ready-to-use policy examples, please visit the official [Kyverno Community Policies](https://kyverno.io/policies/). There you can find hundreds of validation, mutation, and generation policies for various workloads and security standards.
-214
+For a comprehensive library of ready-to-use policy examples, please visit the official [Kyverno Community Policies](https://kyverno.io/policies/). There you can find hundreds of validation, mutation, and generation policies for various workloads and security standards.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`
around lines 211 - 214, Remove the stray trailing characters that can break
rendering by deleting the standalone "214" line and any unmatched closing
code-fence or stray backticks that follow the "More Policy Examples" section
(the line containing the Kyverno Community Policies link); ensure there is no
unterminated code block left in the document and that the file ends with a
single newline so the markdown renders cleanly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`:
- Around line 99-106: The mutate policy's namespace exclusion under the
"exclude" -> "any" -> "resources" -> "namespaces" block only lists kube-system
and kyverno, which may miss other system namespaces; update that namespaces list
(referencing the exclude/resources/namespaces block and the mutate section) to
also include kube-public and kube-node-lease (or add a short clarifying note in
the document explaining why those namespaces are intentionally omitted) so the
example matches the later "Exclude System Namespaces" guidance.
- Around line 118-130: The test is brittle: it may create a controller with
`kubectl run test-pod` and uses grep on YAML output; change the Pod creation to
force a single Pod (use `--restart=Never` or otherwise ensure a plain Pod) and
replace the fragile `kubectl get ... | grep` checks with deterministic jsonpath
assertions against the mutated fields in the created Pod—specifically assert
`.metadata.labels.managed-by`, `.metadata.labels.company-standard` and
`.spec.restartPolicy` after applying `mutate-pod-defaults.yaml` to verify the
mutation policy behavior.
- Around line 54-57: The policy currently only validates spec.containers[].image
for the "no latest tag" rule; update the Kyverno validation to also check
spec.initContainers[].image (or use a combined path like spec.containers and
spec.initContainers or spec.allContainers if supported) so initContainers cannot
use ":latest" either—locate the rule referencing spec.containers[].image and add
a matching pattern/validation block for spec.initContainers[].image (or a
unified images check) ensuring the same deny condition applies to both arrays.
- Around line 59-70: The test uses "kubectl run test-pod-*" which can create a
controller instead of a Pod, so update the example to reliably create Pods:
change the "kubectl run test-pod-latest" and "kubectl run test-pod-version"
commands to include "--restart=Never" (or replace them with explicit Pod
manifests applied via "kubectl apply -f") so the Validate policy (matching kind:
Pod in disallow-latest-tag.yaml) is evaluated at creation time and the "Should
be blocked"/"Should succeed" expectations are deterministic.

---

Outside diff comments:
In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`:
- Around line 211-214: Remove the stray trailing characters that can break
rendering by deleting the standalone "214" line and any unmatched closing
code-fence or stray backticks that follow the "More Policy Examples" section
(the line containing the Kyverno Community Policies link); ensure there is no
unterminated code block left in the document and that the file ends with a
single newline so the markdown renders cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bc6e93d9-2fa5-42bf-b03d-9bae8bd928df

📥 Commits

Reviewing files that changed from the base of the PR and between 35846a8 and d091a8f.

📒 Files selected for processing (1)

• docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Consider also disallowing latest for initContainers.

The validation pattern only checks spec.containers[].image. If you want “no Pod can be created using the latest image tag” to cover all images, you likely also want to validate spec.initContainers[].image.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`
around lines 54 - 57, The policy currently only validates
spec.containers[].image for the "no latest tag" rule; update the Kyverno
validation to also check spec.initContainers[].image (or use a combined path
like spec.containers and spec.initContainers or spec.allContainers if supported)
so initContainers cannot use ":latest" either—locate the rule referencing
spec.containers[].image and add a matching pattern/validation block for
spec.initContainers[].image (or a unified images check) ensuring the same deny
condition applies to both arrays.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make the Validate-policy test reliably create a Pod (not just a controller).

Your Validate policy matches kind: Pod, but the test uses kubectl run without forcing a Pod. Depending on kubectl version/settings, kubectl run may create a Deployment (or other controller), and failures may happen later (when the Pod is created) rather than at the kubectl run step—making the “Should be blocked” expectation confusing.

Update the commands to explicitly create a Pod, e.g. add --restart=Never and/or use an explicit Pod manifest.

Suggested change

-# Try to create a pod using the latest tag (Should be blocked)
-kubectl run test-pod-latest --image=nginx:latest
+# Try to create a pod using the latest tag (Should be blocked)
+kubectl run test-pod-latest --image=nginx:latest --restart=Never

-# Create a pod using a specific version (Should succeed)
-kubectl run test-pod-version --image=nginx:1.24.0
+# Create a pod using a specific version (Should succeed)
+kubectl run test-pod-version --image=nginx:1.24.0 --restart=Never

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`
around lines 59 - 70, The test uses "kubectl run test-pod-*" which can create a
controller instead of a Pod, so update the example to reliably create Pods:
change the "kubectl run test-pod-latest" and "kubectl run test-pod-version"
commands to include "--restart=Never" (or replace them with explicit Pod
manifests applied via "kubectl apply -f") so the Validate policy (matching kind:
Pod in disallow-latest-tag.yaml) is evaluated at creation time and the "Should
be blocked"/"Should succeed" expectations are deterministic.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Namespace exclusions for Mutate may be incomplete for “system namespaces”.

The mutate policy excludes only kube-system and kyverno. For consistency with your later “Exclude System Namespaces” guidance, you may want to also exclude common system namespaces like kube-public and kube-node-lease (or clarify in the doc why they’re intentionally included).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`
around lines 99 - 106, The mutate policy's namespace exclusion under the
"exclude" -> "any" -> "resources" -> "namespaces" block only lists kube-system
and kyverno, which may miss other system namespaces; update that namespaces list
(referencing the exclude/resources/namespaces block and the mutate section) to
also include kube-public and kube-node-lease (or add a short clarifying note in
the document explaining why those namespaces are intentionally omitted) so the
example matches the later "Exclude System Namespaces" guidance.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make the Mutate-policy test verifications more deterministic (avoid grep).

The mutate policy is admission-time and targets kind: Pod, but your test uses kubectl run test-pod --image=nginx -n default (same concern as above: may create a controller). Also, verifying labels via kubectl get pod ... -o yaml | grep -A 3 labels: is brittle across kubectl/YAML formatting changes.

Prefer:

• forcing Pod creation (--restart=Never)
• asserting specific mutated fields using jsonpath (e.g., .metadata.labels.managed-by, .metadata.labels.company-standard, .spec.restartPolicy)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/security/security_and_compliance/compliance/howto/kyverno_usage.md`
around lines 118 - 130, The test is brittle: it may create a controller with
`kubectl run test-pod` and uses grep on YAML output; change the Pod creation to
force a single Pod (use `--restart=Never` or otherwise ensure a plain Pod) and
replace the fragile `kubectl get ... | grep` checks with deterministic jsonpath
assertions against the mutated fields in the created Pod—specifically assert
`.metadata.labels.managed-by`, `.metadata.labels.company-standard` and
`.spec.restartPolicy` after applying `mutate-pod-defaults.yaml` to verify the
mutation policy behavior.

[cloudflare-workers-and-pages]

Deploying alauda-container-platform with    Cloudflare Pages

Latest commit:	6078952
Status:	✅  Deploy successful!
Preview URL:	https://da551d27.alauda-container-platform.pages.dev
Branch Preview URL:	https://feat-application-api.alauda-container-platform.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/shared/openapis/application.v1.json`:
- Around line 373-386: The OpenAPI response for the GET operation on
"/kubernetes/{cluster_name}/apis/app.k8s.io/v1beta1/namespaces/{namespace}/applications/{name}"
is invalid because "application/json" contains "$ref" directly; wrap the
reference inside a "schema" object so the response shape becomes "content": {
"application/json": { "schema": { "$ref": \"#/components/schemas/Application\" }
} } — update the GET responses block for that path (the get operation's
responses -> 200 -> content -> application/json) to use a schema wrapper.
- Around line 1-8: Add global authentication to the OpenAPI document by adding a
top-level "security" array that references a named scheme (e.g. "bearerAuth")
and add a "components.securitySchemes" entry that defines that scheme (for
example, {"bearerAuth": {"type":"http","scheme":"bearer","bearerFormat":"JWT"}})
so clients know the required auth; update any operation-specific security if
some endpoints are public by overriding the global "security". Ensure you add
the "security" and "components.securitySchemes" keys at the document root and
use the exact names (e.g., bearerAuth) when referencing them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8d365e11-825b-483f-9725-fcd9657b7c49

📥 Commits

Reviewing files that changed from the base of the PR and between d091a8f and f3fad53.

📒 Files selected for processing (6)

• docs/en/apis/advanced_apis/application/index.mdx
• docs/en/apis/advanced_apis/application/lifecycle.mdx
• docs/en/apis/advanced_apis/application/management.mdx
• docs/en/apis/advanced_apis/application/query.mdx
• docs/en/security/security_and_compliance/compliance/howto/kyverno_policies.md
• docs/shared/openapis/application.v1.json

✅ Files skipped from review due to trivial changes (5)

• docs/en/apis/advanced_apis/application/index.mdx
• docs/en/apis/advanced_apis/application/management.mdx
• docs/en/apis/advanced_apis/application/lifecycle.mdx
• docs/en/apis/advanced_apis/application/query.mdx
• docs/en/security/security_and_compliance/compliance/howto/kyverno_policies.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/shared/openapis/application.v1.json`:
- Around line 12-18: The OpenAPI path keys and path parameter names use
"{cluster_name}" but other docs use "{cluster}", causing mismatch; replace the
path segment "{cluster_name}" with "{cluster}" in the path key
"/acp/v1/kubernetes/{cluster_name}/namespaces/{namespace}/applications" and in
the corresponding parameter object (change the parameter "name": "cluster_name"
to "cluster") and do the same for every similar route entry that uses
"{cluster_name}" so all path keys and their path-parameter "name" fields
consistently use "{cluster}".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d962872-ab2c-41cc-aaad-1b4a5bfa982b

📥 Commits

Reviewing files that changed from the base of the PR and between f3fad53 and 6078952.

📒 Files selected for processing (5)

• docs/en/apis/advanced_apis/application/index.mdx
• docs/en/apis/advanced_apis/application/lifecycle.mdx
• docs/en/apis/advanced_apis/application/management.mdx
• docs/en/apis/advanced_apis/application/query.mdx
• docs/shared/openapis/application.v1.json

✅ Files skipped from review due to trivial changes (3)

• docs/en/apis/advanced_apis/application/query.mdx
• docs/en/apis/advanced_apis/application/management.mdx
• docs/en/apis/advanced_apis/application/index.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/en/apis/advanced_apis/application/lifecycle.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unify cluster placeholder naming to avoid path-key mismatch with docs references.

This spec mixes {cluster_name} and {cluster} for similar route families. The docs path list in docs/en/apis/advanced_apis/application/query.mdx uses {cluster} for the application detail route, so one side won’t match by exact path key.

Also applies to: 64-70, 121-127, 154-160, 165-171, 176-182, 277-283, 376-382

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/shared/openapis/application.v1.json` around lines 12 - 18, The OpenAPI
path keys and path parameter names use "{cluster_name}" but other docs use
"{cluster}", causing mismatch; replace the path segment "{cluster_name}" with
"{cluster}" in the path key
"/acp/v1/kubernetes/{cluster_name}/namespaces/{namespace}/applications" and in
the corresponding parameter object (change the parameter "name": "cluster_name"
to "cluster") and do the same for every similar route entry that uses
"{cluster_name}" so all path keys and their path-parameter "name" fields
consistently use "{cluster}".