Documentation
¶
Index ¶
- Constants
- type DataRequest
- type Decision
- type DecisionPerCapabilityMap
- type DecisionPolicy
- type EvaluatorInput
- type EvaluatorInterface
- type EvaluatorOutput
- type Infrastructure
- type InfrastructureManager
- type RegoPolicyEvaluator
- type RestrictedEntity
- type Restriction
- type Restrictions
- type RuleDecisionList
- type WorkloadInfo
Constants ¶
const RegoPolicyDirectory = "/tmp/adminconfig/"
A directory containing rego files that define admin config policies
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DataRequest ¶
type DataRequest struct {
// asset identifier
DatasetID string `json:"datasetID"`
// requested interface
Interface api.InterfaceDetails `json:"interface"`
// requested usage, e.g. "read": true, "write": false
Usage map[api.DataFlow]bool `json:"usage"`
// Asset metadata
Metadata *datacatalog.ResourceMetadata `json:"dataset"`
}
DataRequest is a request to use a specific asset
type Decision ¶
type Decision struct {
// a decision regarding deployment: True = require, False = forbid, Unknown = allow
Deploy corev1.ConditionStatus `json:"deploy,omitempty"`
// Deployment restrictions on modules, clusters and additional resources
DeploymentRestrictions Restrictions `json:"restrictions,omitempty"`
// Descriptions of policies that have been used for evaluation
Policy DecisionPolicy `json:"policy,omitempty"`
}
Decision is a result of evaluating a configuration policy which satisfies the specified predicates
type DecisionPerCapabilityMap ¶
type DecisionPerCapabilityMap map[taxonomy.Capability]Decision
type DecisionPolicy ¶
type DecisionPolicy struct {
ID string `json:"ID"`
PolicySetID string `json:"policySetID"`
Description string `json:"description,omitempty"`
}
DecisionPolicy is a justification for a policy that consists of a unique id, id of a policy set and a human readable desciption TODO(shlomitk1): add effective date, expiration date.
type EvaluatorInput ¶
type EvaluatorInput struct {
// Workload configuration
Workload WorkloadInfo `json:"workload"`
// Requirements for asset usage
Request DataRequest `json:"request"`
// Governance Actions for reading data (relevant for read scenarios only)
GovernanceActions []taxonomy.Action `json:"actions"`
}
EvaluatorInput is an input to Configuration Policies Evaluator. Used to evaluate configuration policies.
type EvaluatorInterface ¶
type EvaluatorInterface interface {
Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
}
EvaluatorInterface is an interface for config policies' evaluator
type EvaluatorOutput ¶
type EvaluatorOutput struct {
// Valid is true when there is no conflict between the decisions, and false otherwise
Valid bool
// Dataset identifier
DatasetID string
// Unique fybrikapplication id used for logging
UUID string
// Policy set id used in the evaluation
PolicySetID string
// Decisions per capability (after being merged)
ConfigDecisions DecisionPerCapabilityMap
}
EvaluatorOutput is an output of ConfigurationPoliciesEvaluator. Used by manager to decide which modules are deployed and in which cluster.
type Infrastructure ¶
type Infrastructure struct {
// Clusters available for deployment
Clusters []multicluster.Cluster `json:"clusters"`
}
Infrastructure details, such as available clusters, storage accounts, metrics. TODO(shlomitk1): include available storage accounts Metrics (clusters, networking) are not supported yet. TODO(shlomitk1): define infrastructure taxonomy to be used in this structure
type InfrastructureManager ¶
type InfrastructureManager struct {
ClusterManager multicluster.ClusterLister
Client client.Client
}
InfrastructureManager retrieves the infrastructure data, such as ClusterManager interface, kubernetes client, etc.
func (*InfrastructureManager) SetInfrastructure ¶
func (r *InfrastructureManager) SetInfrastructure() (*Infrastructure, error)
SetInfrastructure uses available interfaces to get the infrastructure details
type RegoPolicyEvaluator ¶
type RegoPolicyEvaluator struct {
Log zerolog.Logger
Query rego.PreparedEvalQuery
ReadyForEval bool
}
RegoPolicyEvaluator implements EvaluatorInterface
func NewRegoPolicyEvaluator ¶
func NewRegoPolicyEvaluator(log zerolog.Logger) *RegoPolicyEvaluator
NewRegoPolicyEvaluator constructs a new RegoPolicyEvaluator object
func (*RegoPolicyEvaluator) Evaluate ¶
func (r *RegoPolicyEvaluator) Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
Evaluate method evaluates the rego files based on the dynamic input object
type RestrictedEntity ¶
type RestrictedEntity string
RestrictedEntity is an entity to be restricted, such as clusters, modules, storageaccounts.
const ( Modules RestrictedEntity = "modules" Clusters RestrictedEntity = "clusters" StorageAccounts RestrictedEntity = "storage" )
Restricted entities
type Restriction ¶
Restriction maps a property to a list of allowed values For example, a module restriction can map "type" to ["plugin", "config"], and "scope" to ["workload"] These values come from FybrikModule taxonomy. Semantics is a disjunction of values, i.e. a type can be either plugin or config
type Restrictions ¶
type Restrictions map[RestrictedEntity]Restriction
Deployment restrictions on modules, clusters and additional resources that will be added in the future
type RuleDecisionList ¶
type RuleDecisionList []DecisionPerCapabilityMap
Type definitions for parsing OPA response A list of decisions per capability, e.g. {"read": {"deploy": true}, "write": {"deploy": false}}
type WorkloadInfo ¶
type WorkloadInfo struct {
// Unique fybrikapplication id used for logging
UUID string `json:"uuid"`
// Policy set id to allow evaluation of a specific set of policies per fybrikapplication
PolicySetID string `json:"policySetID"`
// Cluster where the user workload is running
Cluster multicluster.Cluster `json:"cluster"`
// Application/workload properties
Properties taxonomy.AppInfo `json:"properties,omitempty"`
}
WorkloadInfo holds workload details such as the cluster where the workload is running, and additional properties defined in the taxonomy, e.g. workload type
Source Files