Documentation
¶
Index ¶
- Variables
- func NestedFieldNoCopy(obj map[string]interface{}, fields ...string) (interface{}, bool, error)
- func PrepareQuery() (rego.PreparedEvalQuery, error)
- type AttributeOptimization
- type DataRequest
- type Decision
- type DecisionPerCapability
- type DecisionPerCapabilityMap
- type DecisionPolicy
- type DeploymentStatus
- type EvaluationOutputStructure
- type EvaluatorInput
- type EvaluatorInterface
- type EvaluatorOutput
- type OptimizationDirective
- type OptimizationStrategy
- type RegoPolicyEvaluator
- type Restriction
- type Restrictions
- type RuleDecisionList
- type StringList
- type WorkloadInfo
Constants ¶
This section is empty.
Variables ¶
var RegoPolicyDirectory = environment.GetDataDir() + "/adminconfig/"
RegoPolicyDirectory is a directory containing rego files that define admin config policies
Functions ¶
func NestedFieldNoCopy ¶ added in v0.7.0
func PrepareQuery ¶ added in v0.6.1
func PrepareQuery() (rego.PreparedEvalQuery, error)
PrepareQuery prepares a query for OPA evaluation - data object and compiled modules. This function is called prior to FybrikApplication controller creation in main. Monitoring changes in rego files will be implemented in the future version.
Types ¶
type AttributeOptimization ¶ added in v0.7.0
type AttributeOptimization struct { // Attribute name // +required Attribute string `json:"attribute"` // Optimization directive: minimize or maximize // +required Directive OptimizationDirective `json:"directive"` // Weight, a positive number not exceeding 1.0 // Serialized as a string Weight string `json:"weight,omitempty"` }
type DataRequest ¶
type DataRequest struct { // asset identifier DatasetID string `json:"datasetID"` // requested interface Interface *taxonomy.Interface `json:"interface,omitempty"` // requested usage, e.g. "read": true, "write": false Usage taxonomy.DataFlow `json:"usage"` // Asset metadata Metadata *datacatalog.ResourceMetadata `json:"dataset"` }
DataRequest is a request to use a specific asset
type Decision ¶
type Decision struct { // a decision regarding deployment: True = require, False = forbid, Unknown = allow Deploy DeploymentStatus `json:"deploy,omitempty"` // Deployment restrictions on modules, clusters and additional resources DeploymentRestrictions Restrictions `json:"restrictions,omitempty"` // Descriptions of policies that have been used for evaluation Policy DecisionPolicy `json:"policy,omitempty"` }
Decision is a result of evaluating a configuration policy which satisfies the specified predicates
type DecisionPerCapability ¶ added in v0.7.0
type DecisionPerCapability struct { Capability taxonomy.Capability `json:"capability"` Decision Decision `json:"decision"` }
type DecisionPerCapabilityMap ¶
type DecisionPerCapabilityMap map[taxonomy.Capability]Decision
type DecisionPolicy ¶
type DecisionPolicy struct { ID string `json:"ID"` PolicySetID string `json:"policySetID,omitempty"` Description string `json:"description,omitempty"` Version string `json:"version,omitempty"` }
DecisionPolicy is a justification for a policy that consists of a unique id, id of a policy set and a human readable description
type DeploymentStatus ¶ added in v0.7.0
type DeploymentStatus string
+kubebuilder:validation:Enum=True;False;Unknown
const ( StatusTrue DeploymentStatus = "True" StatusFalse DeploymentStatus = "False" StatusUnknown DeploymentStatus = "Unknown" )
DeploymentStatus values
type EvaluationOutputStructure ¶ added in v0.7.0
type EvaluationOutputStructure struct { Config RuleDecisionList `json:"config"` // +optional Optimize []OptimizationStrategy `json:"optimize,omitempty"` }
Result of query evaluation
type EvaluatorInput ¶
type EvaluatorInput struct { // Workload configuration Workload WorkloadInfo `json:"workload"` // Requirements for asset usage Request DataRequest `json:"request"` }
EvaluatorInput is an input to Configuration Policies Evaluator. Used to evaluate configuration policies.
type EvaluatorInterface ¶
type EvaluatorInterface interface {
Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
}
EvaluatorInterface is an interface for config policies' evaluator
type EvaluatorOutput ¶
type EvaluatorOutput struct { // Valid is true when there is no conflict between the decisions, and false otherwise Valid bool // Dataset identifier DatasetID string // Unique fybrikapplication id used for logging UUID string // Policy set id used in the evaluation PolicySetID string // Decisions per capability (after being merged) ConfigDecisions DecisionPerCapabilityMap // Optimization strategy OptimizationStrategy []AttributeOptimization // Affecting policies Policies []DecisionPolicy }
EvaluatorOutput is an output of ConfigurationPoliciesEvaluator. Used by manager to decide which modules are deployed and in which cluster.
type OptimizationDirective ¶ added in v0.7.0
type OptimizationDirective string
+kubebuilder:validation:Enum=min;max
const ( Minimize OptimizationDirective = "min" Maximize OptimizationDirective = "max" )
List of directives
type OptimizationStrategy ¶ added in v0.7.0
type OptimizationStrategy struct { Strategy []AttributeOptimization `json:"strategy"` Policy DecisionPolicy `json:"policy"` }
A list of attribute optimizations
type RegoPolicyEvaluator ¶
type RegoPolicyEvaluator struct { Log zerolog.Logger Query rego.PreparedEvalQuery Mux *sync.RWMutex }
RegoPolicyEvaluator implements EvaluatorInterface
func NewRegoPolicyEvaluator ¶
func NewRegoPolicyEvaluator() (*RegoPolicyEvaluator, error)
NewRegoPolicyEvaluator constructs a new RegoPolicyEvaluator object
func NewRegoPolicyEvaluatorWithQuery ¶ added in v0.7.0
func NewRegoPolicyEvaluatorWithQuery(query rego.PreparedEvalQuery) *RegoPolicyEvaluator
func (*RegoPolicyEvaluator) Evaluate ¶
func (r *RegoPolicyEvaluator) Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
Evaluate method evaluates the rego files based on the dynamic input object
func (*RegoPolicyEvaluator) GetOptions ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) GetOptions() monitor.FileMonitorOptions
Options for file monitor including the monitored directory and the relevant file extension
func (*RegoPolicyEvaluator) OnError ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) OnError(err error)
func (*RegoPolicyEvaluator) OnNotify ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) OnNotify()
notification event: policy files have been changed
type Restriction ¶
type Restriction struct { Property string `json:"property"` Values StringList `json:"values,omitempty"` Range *taxonomy.RangeType `json:"range,omitempty"` }
func (Restriction) SatisfiedByResource ¶ added in v0.7.0
func (restrict Restriction) SatisfiedByResource(attrManager *infrastructure.AttributeManager, spec interface{}, instanceName string) bool
Validation of an object with respect to the admin config restriction
type Restrictions ¶
type Restrictions struct { Clusters []Restriction `json:"clusters,omitempty"` Modules []Restriction `json:"modules,omitempty"` StorageAccounts []Restriction `json:"storageaccounts,omitempty"` }
Deployment restrictions on modules, clusters and additional resources that will be added in the future
type RuleDecisionList ¶
type RuleDecisionList []DecisionPerCapability
A list of decisions, e.g. [{"capability": "read", "decision": {"deploy": "True"}}, {"capability": "write", "decision": {"deploy": "False"}}]
type StringList ¶ added in v0.7.0
type StringList []string
Restriction maps a property to a list of allowed values. Semantics is a disjunction of values, i.e. a type can be either plugin or config.
type WorkloadInfo ¶
type WorkloadInfo struct { // Unique fybrikapplication id used for logging UUID string `json:"uuid"` // Policy set id to allow evaluation of a specific set of policies per fybrikapplication PolicySetID string `json:"policySetID"` // Cluster where the user workload is running Cluster multicluster.Cluster `json:"cluster"` // Application/workload properties Properties taxonomy.AppInfo `json:"properties,omitempty"` }
WorkloadInfo holds workload details such as the cluster where the workload is running, and additional properties defined in the taxonomy, e.g. workload type