Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group +kubebuilder:object:generate=true +groupName=policy.open-cluster-management.io +kubebuilder:validation:Optional
Index ¶
- Constants
- Variables
- func RecordComplianceEvent(r record.EventRecorder, policy PolicyTyper, msg string)
- func UpdateCondition(status *PolicyTypeStatus, reason, msg string)
- type ComplianceState
- type NamespaceSelector
- type NonEmptyString
- type ObjectMetadata
- type ObjectRef
- type PolicyType
- type PolicyTypeList
- type PolicyTypeSpec
- type PolicyTypeStatus
- type PolicyTyper
- type RelatedObject
Constants ¶
const ComplianceConditionType string = "Compliant"
ComplianceConditionType is the condition type that indicates whether the policy is compliant. If policies use `status.conditions`, they should report their compliance status on this condition type.
const ReasonNoCompliantObjects string = "NoCompliantObjects"
ReasonNoCompliantObjects should be used when the policy requires certain objects to be present on the cluster, but they are not found. It should be used to contrast with ViolationsFound, where the objects were found on the cluster, but they do not match the desired spec/state.
const ReasonPolicyCompliant string = "PolicyCompliant"
ReasonPolicyCompliant should be used when the policy was evaluated without error, and found to be compliant. The status of the condition should be True.
const ReasonPolicyError string = "PolicyError"
ReasonPolicyError should be used when the policy is not compliant due to an error that occurred while evaluating the policy. The status of the condition should be either False or Unknown.
const ReasonViolationsFound string = "ViolationsFound"
ReasonViolationsFound should be used when the policy is not compliant due to objects found on the cluster that cause violations. If the policy is not compliant for a different reason (like an error), then the policy should use another reason.
Variables ¶
var GroupVersion = schema.GroupVersion{Group: "policy.open-cluster-management.io", Version: "v1alpha1"}
GroupVersion is group version used to register these objects
var UnknownCompliancyMeansViolation = true
Functions ¶
func RecordComplianceEvent ¶
func RecordComplianceEvent(r record.EventRecorder, policy PolicyTyper, msg string)
RecordComplianceEvent creates an event on the "parent" policy of the given object (found through ownerReferences, which is set by the policy framework) which can be recognized by the policy framework to update the parent policy's status. This is the way that compliance information gets sent to the hub. The provided message will be prepended with "Compliant; " or "NonCompliant; " as required by the policy framework. The record.EventRecorder needs access to create and update events, like the access given by this kubebuilder tag: `//+kubebuilder:rbac:groups="",resources=events,verbs=create;patch`
func UpdateCondition ¶
func UpdateCondition(status *PolicyTypeStatus, reason, msg string)
UpdateCondition sets the Compliance condition in the given status to match the ComplianceState, and to have the given reason and message. It will update the LastTransitionTime if the status has changed, and it will initialize the condition if it did not already exist.
Types ¶
type ComplianceState ¶
type ComplianceState string
ComplianceState shows the state of enforcement +kubebuilder:validation:Enum=Compliant;NonCompliant;UnknownCompliancy
const ( Compliant ComplianceState = "Compliant" NonCompliant ComplianceState = "NonCompliant" UnknownCompliancy ComplianceState = "UnknownCompliancy" )
type NamespaceSelector ¶
type NamespaceSelector struct {
// Include is a list of namespaces the policy should apply to. UNIX style
// wildcards will be expanded, for example "kube-*" will include both
// "kube-system" and "kube-public".
//+kubebuilder:validation:Required
//+kubebuilder:validation:MinItems=1
Include []NonEmptyString `json:"include,omitempty"`
// Exclude is a list of namespaces the policy should _not_ apply to. UNIX
// style wildcards will be expanded, for example "kube-*" will exclude both
// "kube-system" and "kube-public".
Exclude []NonEmptyString `json:"exclude,omitempty"`
}
func (*NamespaceSelector) DeepCopy ¶
func (in *NamespaceSelector) DeepCopy() *NamespaceSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSelector.
func (*NamespaceSelector) DeepCopyInto ¶
func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (NamespaceSelector) GetNamespaces ¶
GetNamespaces fetches all namespaces in the cluster and returns a list of the namespaces that match the NamespaceSelector. The client.Reader needs access for viewing namespaces, like the access given by this kubebuilder tag: `//+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch`
type ObjectMetadata ¶
type ObjectMetadata struct {
// Name of the referent. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
Name string `json:"name,omitempty"`
// Namespace of the referent. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
Namespace string `json:"namespace,omitempty"`
}
ObjectMetadata contains the resource metadata for an object being processed by the policy
func (*ObjectMetadata) DeepCopy ¶
func (in *ObjectMetadata) DeepCopy() *ObjectMetadata
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetadata.
func (*ObjectMetadata) DeepCopyInto ¶
func (in *ObjectMetadata) DeepCopyInto(out *ObjectMetadata)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ObjectRef ¶
type ObjectRef struct {
metav1.TypeMeta `json:",inline"`
Metadata ObjectMetadata `json:"metadata,omitempty"`
}
func (*ObjectRef) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectRef.
func (*ObjectRef) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyType ¶
type PolicyType struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PolicyTypeSpec `json:"spec,omitempty"`
Status PolicyTypeStatus `json:"status,omitempty"`
}
PolicyType is the Schema for the policytypes API
func (*PolicyType) DeepCopy ¶
func (in *PolicyType) DeepCopy() *PolicyType
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyType.
func (*PolicyType) DeepCopyInto ¶
func (in *PolicyType) DeepCopyInto(out *PolicyType)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyType) DeepCopyObject ¶
func (in *PolicyType) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (PolicyType) PolicySpec ¶
func (p PolicyType) PolicySpec() *PolicyTypeSpec
func (PolicyType) PolicyStatus ¶
func (p PolicyType) PolicyStatus() *PolicyTypeStatus
type PolicyTypeList ¶
type PolicyTypeList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []PolicyType `json:"items"`
}
PolicyTypeList contains a list of PolicyType
func (*PolicyTypeList) DeepCopy ¶
func (in *PolicyTypeList) DeepCopy() *PolicyTypeList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyTypeList.
func (*PolicyTypeList) DeepCopyInto ¶
func (in *PolicyTypeList) DeepCopyInto(out *PolicyTypeList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyTypeList) DeepCopyObject ¶
func (in *PolicyTypeList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyTypeSpec ¶
type PolicyTypeSpec struct {
// Severity is how serious the situation is when the policy is not
// compliant. Accepted values include: low, medium, high, and critical.
//+kubebuilder:validation:Enum=low;Low;medium;Medium;high;High;critical;Critical
Severity string `json:"severity,omitempty"`
// RemediationAction indicates what the policy controller should do when the
// policy is not compliant. Accepted values include inform, and enforce.
// Note that not all policy controllers will attempt to automatically
// remediate a policy, even when set to "enforce".
//+kubebuilder:validation:Enum=Inform;inform;Enforce;enforce
RemediationAction string `json:"remediationAction,omitempty"`
// NamepaceSelector indicates which namespaces on the cluster this policy
// should apply to, when the policy applies to namespaced objects.
//+kubebuilder:validation:Required
NamespaceSelector NamespaceSelector `json:"namespaceSelector,omitempty"`
// LabelSelector is a map of labels and values for the resources that the
// policy should apply to. Not all policy controllers use this field, but
// if they do, the resources must match all labels specified here.
LabelSelector map[string]NonEmptyString `json:"labelSelector,omitempty"`
}
PolicyTypeSpec includes all fields that should be implemented in the spec of all policy types in the policy framework.
func (*PolicyTypeSpec) DeepCopy ¶
func (in *PolicyTypeSpec) DeepCopy() *PolicyTypeSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyTypeSpec.
func (*PolicyTypeSpec) DeepCopyInto ¶
func (in *PolicyTypeSpec) DeepCopyInto(out *PolicyTypeSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyTypeStatus ¶
type PolicyTypeStatus struct {
// ComplianceState indicates whether the policy is compliant or not.
// Accepted values include: Compliant, NonCompliant, and UnknownCompliancy
ComplianceState ComplianceState `json:"compliant,omitempty"`
// RelatedObjects are objects on the cluster that were examined in order to
// determine compliance. Often these are objects that cause a violation, but
// not always.
RelatedObjects []RelatedObject `json:"relatedObjects,omitempty"`
// Conditions represent the latest available observations of an object's state
Conditions []metav1.Condition `json:"conditions,omitempty"`
}
PolicyTypeStatus includes fields that are useful for policy types in the policy framework to implement in order to report status.
func (*PolicyTypeStatus) DeepCopy ¶
func (in *PolicyTypeStatus) DeepCopy() *PolicyTypeStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyTypeStatus.
func (*PolicyTypeStatus) DeepCopyInto ¶
func (in *PolicyTypeStatus) DeepCopyInto(out *PolicyTypeStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyTyper ¶
type PolicyTyper interface {
client.Object
PolicySpec() *PolicyTypeSpec
PolicyStatus() *PolicyTypeStatus
}
+kubebuilder:object:generate=false
type RelatedObject ¶
type RelatedObject struct {
Object ObjectRef `json:"object,omitempty"`
ComplianceState ComplianceState `json:"compliant,omitempty"`
Reason NonEmptyString `json:"reason,omitempty"`
}
func (*RelatedObject) DeepCopy ¶
func (in *RelatedObject) DeepCopy() *RelatedObject
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelatedObject.
func (*RelatedObject) DeepCopyInto ¶
func (in *RelatedObject) DeepCopyInto(out *RelatedObject)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (RelatedObject) SortString ¶
func (o RelatedObject) SortString() string
SortString returns a string which can help sort RelatedObjects.
Source Files