Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the validation v1alpha1 API group +kubebuilder:object:generate=true +groupName=validation.spectrocloud.labs
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "validation.spectrocloud.labs", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type ActionStr ¶
type ActionStr string
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable kubebuilder max string length validation for arrays of these. +kubebuilder:validation:MaxLength=200
type AzureAuth ¶
type AzureAuth struct {
// If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
// Set to true if using WorkloadIdentityCredentials. If set to false, the plugin falls back to
// the SecretName field.
Implicit bool `json:"implicit" yaml:"implicit"`
// Name of a Secret in the same namespace as the AzureValidator that contains Azure credentials.
// The secret data's keys and values are expected to align with valid Azure environment variable credentials,
// per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
// For each AZURE_ key not found in the secret, the plugin falls back to the Credentials field.
// If not provided, the plugin falls back to the Credentials field.
SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
// The credentials for the service principal used to authenticate the plugin if not using
// implicit auth and if secret name was not provided. If secret name was provided, but one or
// more AZURE_ keys are missing from the secret's data, this field is used for each key missing
// from the secret data.
Credentials *ServicePrincipalCredentials `json:"credentials,omitempty" yaml:"credentials,omitempty"`
}
AzureAuth defines authentication configuration for an AzureValidator.
func (*AzureAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureAuth.
func (*AzureAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureValidator ¶
type AzureValidator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec AzureValidatorSpec `json:"spec,omitempty"`
Status AzureValidatorStatus `json:"status,omitempty"`
}
AzureValidator is the Schema for the azurevalidators API
func (*AzureValidator) DeepCopy ¶
func (in *AzureValidator) DeepCopy() *AzureValidator
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidator.
func (*AzureValidator) DeepCopyInto ¶
func (in *AzureValidator) DeepCopyInto(out *AzureValidator)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidator) DeepCopyObject ¶
func (in *AzureValidator) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (AzureValidator) GetKind ¶ added in v0.0.16
func (v AzureValidator) GetKind() string
GetKind returns the Azure validator's kind.
func (AzureValidator) PluginCode ¶ added in v0.0.15
func (v AzureValidator) PluginCode() string
PluginCode returns the Azure validator's plugin code.
func (AzureValidator) ResultCount ¶ added in v0.0.15
func (v AzureValidator) ResultCount() int
ResultCount returns the number of validation results expected for an AzureValidator.
type AzureValidatorList ¶
type AzureValidatorList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AzureValidator `json:"items"`
}
AzureValidatorList contains a list of AzureValidator
func (*AzureValidatorList) DeepCopy ¶
func (in *AzureValidatorList) DeepCopy() *AzureValidatorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorList.
func (*AzureValidatorList) DeepCopyInto ¶
func (in *AzureValidatorList) DeepCopyInto(out *AzureValidatorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidatorList) DeepCopyObject ¶
func (in *AzureValidatorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AzureValidatorSpec ¶
type AzureValidatorSpec struct {
// Rules for validating that the correct role assignments have been created in Azure RBAC to
// provide needed permissions.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="RBACRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
RBACRules []RBACRule `json:"rbacRules,omitempty" yaml:"rbacRules,omitempty"`
// Rules for validating that images exist in an Azure Compute Gallery published as a community
// gallery.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="CommunityGalleryImageRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
CommunityGalleryImageRules []CommunityGalleryImageRule `json:"communityGalleryImageRules,omitempty" yaml:"communityGalleryImageRules,omitempty"`
// Rules for validating that current usage falls within current quota limits, including a
// a buffer.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="QuotaRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
QuotaRules []QuotaRule `json:"quotaRules,omitempty" yaml:"quotaRules,omitempty"`
Auth AzureAuth `json:"auth" yaml:"auth"`
}
AzureValidatorSpec defines the desired state of AzureValidator
func (*AzureValidatorSpec) DeepCopy ¶
func (in *AzureValidatorSpec) DeepCopy() *AzureValidatorSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorSpec.
func (*AzureValidatorSpec) DeepCopyInto ¶
func (in *AzureValidatorSpec) DeepCopyInto(out *AzureValidatorSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (AzureValidatorSpec) PluginCode ¶ added in v0.0.15
func (s AzureValidatorSpec) PluginCode() string
PluginCode returns the Azure validator's plugin code.
func (AzureValidatorSpec) ResultCount ¶
func (s AzureValidatorSpec) ResultCount() int
ResultCount returns the number of validation results expected for an AzureValidatorSpec.
type AzureValidatorStatus ¶
type AzureValidatorStatus struct{}
AzureValidatorStatus defines the observed state of AzureValidator
func (*AzureValidatorStatus) DeepCopy ¶
func (in *AzureValidatorStatus) DeepCopy() *AzureValidatorStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorStatus.
func (*AzureValidatorStatus) DeepCopyInto ¶
func (in *AzureValidatorStatus) DeepCopyInto(out *AzureValidatorStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CommunityGallery ¶ added in v0.0.12
type CommunityGallery struct {
// Location is the location of the community gallery (e.g. "westus").
Location string `json:"location" yaml:"location"`
// Name is the name of the community gallery.
Name string `json:"name" yaml:"name"`
}
CommunityGallery is a community gallery in a particular location.
func (*CommunityGallery) DeepCopy ¶ added in v0.0.12
func (in *CommunityGallery) DeepCopy() *CommunityGallery
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommunityGallery.
func (*CommunityGallery) DeepCopyInto ¶ added in v0.0.12
func (in *CommunityGallery) DeepCopyInto(out *CommunityGallery)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CommunityGalleryImageRule ¶ added in v0.0.12
type CommunityGalleryImageRule struct {
validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
// RuleName is a unique identifier for the rule in the validator. Used to ensure conditions do
// not overwrite each other.
// +kubebuilder:validation:MaxLength=200
RuleName string `json:"name" yaml:"name"`
// Gallery is the community gallery.
Gallery CommunityGallery `json:"gallery" yaml:"gallery"`
// Images is a list of image names.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=1000
Images []string `json:"images" yaml:"images"`
// SubscriptionID is the ID of the subscription.
SubscriptionID string `json:"subscriptionID" yaml:"subscriptionID"`
}
CommunityGalleryImageRule verifies that one or more images in a community gallery exist and are accessible by a particular subscription.
func (*CommunityGalleryImageRule) DeepCopy ¶ added in v0.0.12
func (in *CommunityGalleryImageRule) DeepCopy() *CommunityGalleryImageRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommunityGalleryImageRule.
func (*CommunityGalleryImageRule) DeepCopyInto ¶ added in v0.0.12
func (in *CommunityGalleryImageRule) DeepCopyInto(out *CommunityGalleryImageRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (CommunityGalleryImageRule) Name ¶ added in v0.0.12
func (r CommunityGalleryImageRule) Name() string
Name returns the name of the community gallery image rule.
func (*CommunityGalleryImageRule) SetName ¶ added in v0.0.18
func (r *CommunityGalleryImageRule) SetName(name string)
SetName sets the name of the community gallery image rule.
type PermissionSet ¶
type PermissionSet struct {
// Actions is a list of actions that the role must be able to perform. Must not contain any
// wildcards. If not specified, the role is assumed to already be able to perform all required
// actions.
// +kubebuilder:validation:MaxItems=1000
// +kubebuilder:validation:XValidation:message="Actions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
Actions []ActionStr `json:"actions,omitempty" yaml:"actions,omitempty"`
// DataActions is a list of data actions that the role must be able to perform. Must not
// contain any wildcards. If not provided, the role is assumed to already be able to perform
// all required data actions.
// +kubebuilder:validation:MaxItems=1000
// +kubebuilder:validation:XValidation:message="DataActions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
DataActions []ActionStr `json:"dataActions,omitempty" yaml:"dataActions,omitempty"`
// Scope is the minimum scope of the role. Role assignments found at higher level scopes will
// satisfy this. For example, a role assignment found with subscription scope will satisfy a
// permission set where the role scope specified is a resource group within that subscription.
Scope string `json:"scope" yaml:"scope"`
}
PermissionSet is part of an RBAC rule and verifies that a security principal has the specified permissions (via role assignments) at the specified scope. Scope can be either subscription, resource group, or resource.
func (*PermissionSet) DeepCopy ¶
func (in *PermissionSet) DeepCopy() *PermissionSet
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionSet.
func (*PermissionSet) DeepCopyInto ¶
func (in *PermissionSet) DeepCopyInto(out *PermissionSet)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type QuotaRule ¶ added in v0.0.21
type QuotaRule struct {
validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
// Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
// each other.
RuleName string `json:"name" yaml:"name"`
// The resource sets in the rule, where each set is a scope with one or more resources
// associated with it.
ResourceSets []ResourceSet `json:"resourceSets" yaml:"resourceSets"`
}
QuotaRule ensures that Azure quotas are within a particular threshold.
func (*QuotaRule) DeepCopy ¶ added in v0.0.21
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QuotaRule.
func (*QuotaRule) DeepCopyInto ¶ added in v0.0.21
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RBACRule ¶
type RBACRule struct {
validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
// Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
// each other.
RuleName string `json:"name" yaml:"name"`
// The permissions that the principal must have. If the principal has permissions less than
// this, validation will fail. If the principal has permissions equal to or more than this
// (e.g., inherited permissions from higher level scope, more roles than needed) validation
// will pass.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=20
// +kubebuilder:validation:XValidation:message="Each permission set must have Actions, DataActions, or both defined",rule="self.all(item, size(item.actions) > 0 || size(item.dataActions) > 0)"
Permissions []PermissionSet `json:"permissionSets" yaml:"permissionSets"`
// The principal being validated. This can be any type of principal - Device, ForeignGroup,
// Group, ServicePrincipal, or User. If using a service principal, this is the "application
// object ID". In the Azure portal, this can be found by navigating to Entra ID, selecting the
// application registration of the service principal, navigating from that page to the managed
// application page, and copying the "object ID". This ID is different from the tenant ID,
// client ID, and object ID of the application registration.
PrincipalID string `json:"principalId" yaml:"principalId"`
}
RBACRule verifies that a security principal has permissions via role assignments and that no deny assignments deny the permissions.
func (*RBACRule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACRule.
func (*RBACRule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Resource ¶ added in v0.0.21
type Resource struct {
// The name of the resource. This is a Microsoft.Quota resource name. Valid values depend on
// which scope is used to check the resource. If a name invalid for the configured scope is
// used, it will be skipped. For example, the resource names "virtualMachines" and
// "standardDFamily" can be used when paired with a scope like "subscriptions/ec9aff0b-8346-4a49-ad2d-d006a12dfbfe/providers/Microsoft.Compute/locations/westus"
// because these resource names are used with Microsoft.Compute scopes.
Name string `json:"name" yaml:"name"`
// The buffer of the resource. The amount that the current usage must be less than the current
// by for validation to succeed for the rule. For example, if current quota was 3, current usage
// was 2, and the buffer was set to 1, validation would succeed. However, if the buffer was set
// to 2 instead of 1, validation would fail.
Buffer int32 `json:"buffer" yaml:"buffer"`
}
Resource defines a quota and expected buffer (quota minus usage) for a particular Azure resource name.
func (*Resource) DeepCopy ¶ added in v0.0.21
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Resource.
func (*Resource) DeepCopyInto ¶ added in v0.0.21
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceSet ¶ added in v0.0.21
type ResourceSet struct {
// The scope of the resources. Used to determine which type of quota and usage is checked. For
// example, the scope "subscriptions/ec9aff0b-8346-4a49-ad2d-d006a12dfbfe/providers/Microsoft.Compute/locations/westus"
// checks info for Compute type quotas and usages in the "westus" location.
Scope string `json:"scope" yaml:"scope"`
// The resources in the resource set.
Resources []Resource `json:"resources" yaml:"resources"`
}
ResourceSet defines a scope that can be used to check current quota and current usage data for one or more resources.
func (*ResourceSet) DeepCopy ¶ added in v0.0.21
func (in *ResourceSet) DeepCopy() *ResourceSet
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSet.
func (*ResourceSet) DeepCopyInto ¶ added in v0.0.21
func (in *ResourceSet) DeepCopyInto(out *ResourceSet)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ServicePrincipalCredentials ¶ added in v0.0.22
type ServicePrincipalCredentials struct {
// The tenant ID associated with the service principal.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=36
TenantID string `json:"tenantId" yaml:"tenantId"`
// The client ID associated with the service principal.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=36
ClientID string `json:"clientId" yaml:"clientId"`
// The client secret associated with the service principal.
// +kubebuilder:validation:MinLength=1
ClientSecret string `json:"clientSecret" yaml:"clientSecret"`
// The Azure environment to connect to. Can be "AzureCloud" (for the normal public cloud), "AzureUSGovernment", or
// "AzureChinaCloud". If not provided, the Azure SDK defaults to connecting to the normal public cloud.
// +kubebuilder:validation:Enum=AzureCloud;AzureUSGovernment;AzureChinaCloud
Environment string `json:"environment,omitempty" yaml:"environment,omitempty"`
}
ServicePrincipalCredentials are the credentials used to authenticate as a service principal.
func (*ServicePrincipalCredentials) DeepCopy ¶ added in v0.0.22
func (in *ServicePrincipalCredentials) DeepCopy() *ServicePrincipalCredentials
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePrincipalCredentials.
func (*ServicePrincipalCredentials) DeepCopyInto ¶ added in v0.0.22
func (in *ServicePrincipalCredentials) DeepCopyInto(out *ServicePrincipalCredentials)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files