Documentation
¶
Index ¶
- Constants
- Variables
- func AdjustAdmResForOC()
- func AdjustAdmWebhookName()
- func DeduceAdmCtrlRoleRules(rscsToCheck utils.Set, objs interface{}) error
- func GetK8sVersion() (int, int)
- func GetTlsKeyCertPath(svcName, ns string) (string, string)
- func IsK8sNvWebhookConfigured(whName, failurePolicy string, wh *K8sAdmRegWebhook, checkNsSelector bool) bool
- func Register(platform, flavor, network string) orchAPI.ResourceDriver
- type AdmissionWebhookConfiguration
- type AwsSvcResource
- type CRD
- type ConfigMap
- type CustomDeploymentStrategyParams
- type DeploymentCause
- type DeploymentCauseImageTrigger
- type DeploymentCondition
- type DeploymentConditionReason
- type DeploymentConditionType
- type DeploymentConfig
- type DeploymentConfigList
- type DeploymentConfigRollback
- type DeploymentConfigRollbackSpec
- type DeploymentConfigSpec
- type DeploymentConfigStatus
- type DeploymentDetails
- type DeploymentLog
- type DeploymentLogOptions
- type DeploymentRequest
- type DeploymentStrategy
- type DeploymentStrategyType
- type DeploymentTriggerImageChangeParams
- type DeploymentTriggerPolicy
- type DeploymentTriggerType
- type Event
- type ExecNewPodHook
- type Image
- type ImageTag
- type K8sAdmRegRule
- type K8sAdmRegRuleWithOperations
- type K8sAdmRegServiceReference
- type K8sAdmRegValidatingWebhookConfiguration
- type K8sAdmRegWebhook
- type K8sAdmRegWebhookClientConfig
- type LifecycleHook
- type LifecycleHookFailurePolicy
- type Namespace
- type Node
- type NvAdmCtrlSecurityRule
- type NvAdmCtrlSecurityRuleList
- type NvAdmRegRuleSetting
- type NvClusterSecurityRule
- type NvClusterSecurityRuleList
- type NvCrdAdmCtrlConfig
- type NvCrdAdmCtrlRule
- type NvCrdInfo
- type NvSecurityAdmCtrlConfig
- type NvSecurityAdmCtrlRule
- type NvSecurityAdmCtrlRules
- type NvSecurityAdmCtrlSpec
- type NvSecurityFileRule
- type NvSecurityParse
- type NvSecurityProcessProfile
- type NvSecurityProcessRule
- type NvSecurityRule
- type NvSecurityRuleDetail
- type NvSecurityRuleList
- type NvSecurityRulePartial
- type NvSecurityRuleSpec
- type NvSecurityTarget
- type NvSecurityWafGroup
- type NvSecurityWafRule
- type NvSecurityWafSensor
- type NvSecurityWafSpec
- type NvWafSecurityRule
- type NvWafSecurityRuleList
- type Pod
- type RBAC
- type RecreateDeploymentStrategyParams
- type RollingDeploymentStrategyParams
- type Service
- type TagImageHook
Constants ¶
View Source
const ( OperationAll string = "*" Create string = "CREATE" Update string = "UPDATE" Delete string = "DELETE" Connect string = "CONNECT" )
for OperationType
View Source
const ( ServiceTypeClusterIP string = "ClusterIP" ServiceTypeNodePort string = "NodePort" ServiceTypeLoadBalancer string = "LoadBalancer" ServiceTypeExternalName string = "ExternalName" )
for ServiceType
View Source
const ( Ignore string = "Ignore" Fail string = "Fail" )
for FailurePolicyType
View Source
const ( IgnoreLower string = "ignore" FailLower string = "fail" )
View Source
const ( SideEffectNone string = "None" SideEffectSome string = "Some" SideEffectNoneOnDryRun string = "NoneOnDryRun" )
for SideEffectClass
View Source
const ( AwsSvcCloudformation = "cloudformation" AwsSvcCloudWatch = "cloudwatch" AwsSvcCognitoIdentity = "cognito-identity" AwsSvcCognitoSync = "cognito-sync" AwsSvcDynamodb = "dynamodb" AwsSvcEc2 = "ec2" AwsSvcEvents = "events" AwsSvcIam = "iam" AwsSvcIot = "iot" AwsSvcKinesis = "kinesis" AwsSvcKms = "kms" AwsSvcLambda = "lambda" AwsSvcLogs = "logs" AwsSvcS3 = "s3" AwsSvcSns = "sns" AwsSvcSqs = "sqs" AwsSvcTag = "tag" AwsSvcXray = "xray" )
View Source
const ( AwsResHigh = "High" AwsResMid = "Medium" AwsResLow = "Low" )
Permession sensitive level
View Source
const ( K8sAllApiGroup = "*" K8sAdmApiGroup = "admissionregistration.k8s.io" K8sCrdApiGroup = "apiextensions.k8s.io" K8sAllApiVersion = "*" K8sApiVersionV1 = "v1" K8sApiVersionV1Beta1 = "v1beta1" K8sApiVersionV1Beta2 = "v1beta2" K8sResCronjobs = "cronjobs" K8sResDaemonsets = "daemonsets" K8sResDeployments = "deployments" K8sResDeploymentConfigs = "deploymentconfigs" K8sResJobs = "jobs" K8sResPods = "pods" K8sResReplicationControllers = "replicationcontrollers" K8sResReplicasets = "replicasets" K8sResServices = "services" K8sResStatefulSets = "statefulsets" )
View Source
const ( NvDeploymentName = "neuvector-controller-pod" NvDaemonSetName = "neuvector-allinone-pod" )
View Source
const ( NvAppRole = "neuvector-binding-app" NvAppRoleBinding = "neuvector-binding-app" NvAdmCtrlRole = "neuvector-binding-admission" NvAdmCtrlRoleBinding = "neuvector-binding-admission" )
View Source
const ( NsSelectorKeyStatusNV = "statusNeuvector" // written to only neuvector namespace's label NsSelectorKeySkipNV = "skipNeuvectorAdmissionControl" NsSelectorOpNotExist = "DoesNotExist" NsSelectorOpExists = "Exists" )
View Source
const ( AdmissionK8sIoV1 = "admission.k8s.io/v1" AdmissionK8sIoV1Beta1 = "admission.k8s.io/v1beta1" K8sKindAdmissionReview = "AdmissionReview" )
View Source
const ( K8sRscTypeClusRole = "k8s-cluster-role" K8sRscTypeClusRoleBinding = "k8s-cluster-role-binding" )
View Source
const ( // DefaultRollingTimeoutSeconds is the default TimeoutSeconds for RollingDeploymentStrategyParams. DefaultRollingTimeoutSeconds int64 = 10 * 60 // DefaultRecreateTimeoutSeconds is the default TimeoutSeconds for RecreateDeploymentStrategyParams. DefaultRecreateTimeoutSeconds int64 = 10 * 60 // DefaultRollingIntervalSeconds is the default IntervalSeconds for RollingDeploymentStrategyParams. DefaultRollingIntervalSeconds int64 = 1 // DefaultRollingUpdatePeriodSeconds is the default PeriodSeconds for RollingDeploymentStrategyParams. DefaultRollingUpdatePeriodSeconds int64 = 1 // MaxDeploymentDurationSeconds represents the maximum duration that a deployment is allowed to run. // This is set as the default value for ActiveDeadlineSeconds for the deployer pod. // Currently set to 6 hours. MaxDeploymentDurationSeconds int64 = 21600 // DefaultRevisionHistoryLimit is the number of old ReplicationControllers to retain to allow for rollbacks. // This only applies to DeploymentConfigs created via the new group API resource, not the legacy resource. DefaultRevisionHistoryLimit int32 = 10 )
These constants represent defaults used in the deployment process.
View Source
const ( RscTypeNode = "node" RscTypeNamespace = "namespace" RscTypeService = "service" RscTypePod = "pod" RscTypeRBAC = "rbac" RscTypeImage = "image" RscTypeCrd = "customresourcedefinition" RscTypeConfigMap = "configmap" RscTypeMutatingWebhookConfiguration = "mutatingwebhookconfiguration" // case sensitive! RscTypeValidatingWebhookConfiguration = "validatingwebhookconfiguration" // case sensitive! RscTypeCrdSecurityRule = "nvsecurityrules" RscTypeCrdClusterSecurityRule = "nvclustersecurityrules" RscTypeCrdAdmCtrlSecurityRule = "nvadmissioncontrolsecurityrules" RscTypeCrdWafSecurityRule = "nvwafsecurityrules" )
View Source
const ( RscNamespaces = "namespaces" RscServices = "services" RscNameMutatingWebhookConfigurations = "mutatingwebhookconfigurations" // case sensitive! RscNameValidatingWebhookConfigurations = "validatingwebhookconfigurations" // case sensitive! RscNameCustomResourceDefinitions = "customresourcedefinitions" // case sensitive! RscKindMutatingWebhookConfiguration = "MutatingWebhookConfiguration" // case sensitive! RscKindValidatingWebhookConfiguration = "ValidatingWebhookConfiguration" // case sensitive! )
View Source
const ( WatchEventAdd = "ResourceAdd" WatchEventModify = "ResourceModify" WatchEventDelete = "ResourceDelete" WatchEventState = "StateUpdate" )
View Source
const ( ConnStateNone = "" ConnStateConnected = "connected" ConnStateDisconnected = "disconnected" )
View Source
const DefTimeoutSeconds = 30
View Source
const NvAdmCtrlSecurityRuleKind = "NvAdmissionControlSecurityRule"
View Source
const NvAdmCtrlSecurityRuleListKind = "NvAdmissionControlSecurityRuleList"
View Source
const NvAdmCtrlSecurityRuleName = "nvadmissioncontrolsecurityrules.neuvector.com"
View Source
const NvAdmCtrlSecurityRulePlural = "nvadmissioncontrolsecurityrules"
View Source
const NvAdmCtrlSecurityRuleSingular = "nvadmissioncontrolsecurityrule"
View Source
const NvAdmCtrlSecurityRuleVersion = "v1"
View Source
const NvClusterSecurityRuleKind = "NvClusterSecurityRule"
View Source
const NvClusterSecurityRuleListKind = "NvClusterSecurityRuleList"
View Source
const NvClusterSecurityRuleName = "nvclustersecurityrules.neuvector.com"
View Source
const NvClusterSecurityRulePlural = "nvclustersecurityrules"
View Source
const NvClusterSecurityRuleScope = "Cluster"
View Source
const NvClusterSecurityRuleSingular = "nvclustersecurityrule"
View Source
const NvClusterSecurityRuleVersion = "v1"
View Source
const NvSecurityRuleKind = "NvSecurityRule"
View Source
const NvSecurityRuleListKind = "NvSecurityRuleList"
View Source
const NvSecurityRuleName = "nvsecurityrules.neuvector.com"
View Source
const NvSecurityRulePlural = "nvsecurityrules"
View Source
const NvSecurityRuleScope = "Namespaced"
View Source
const NvSecurityRuleSingular = "nvsecurityrule"
View Source
const NvSecurityRuleVersion = "v1"
View Source
const NvWafSecurityRuleKind = "NvWafSecurityRule"
View Source
const NvWafSecurityRuleListKind = "NvWafSecurityRuleList"
View Source
const NvWafSecurityRuleName = "nvwafsecurityrules.neuvector.com"
View Source
const NvWafSecurityRulePlural = "nvwafsecurityrules"
View Source
const NvWafSecurityRuleSingular = "nvwafsecurityrule"
View Source
const NvWafSecurityRuleVersion = "v1"
Variables ¶
View Source
var AdmResForOpsSettings = []NvAdmRegRuleSetting{ NvAdmRegRuleSetting{ Operations: utils.NewSet(Create), Resources: admResForCreateSet, Scope: apiv1beta1.NamespacedScope, }, NvAdmRegRuleSetting{ Operations: utils.NewSet(Update), Resources: admResForUpdateSet, Scope: apiv1beta1.NamespacedScope, }, }
View Source
var AwsSvcPolicyMap map[string]string = map[string]string{ // contains filtered or unexported fields }
View Source
var AwsSvcResMap map[string]AwsSvcResource = map[string]AwsSvcResource{ AwsSvcCloudformation: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "DescribeChangeSet": AwsResLow, "DescribeStackResources": AwsResLow, "DescribeStacks": AwsResLow, "GetTemplate": AwsResLow, "ListStackResources": AwsResLow, }, }, AwsSvcCloudWatch: AwsSvcResource{ Sensitivity: AwsResLow, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcCognitoIdentity: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "ListIdentityPools": AwsResLow, }, }, AwsSvcCognitoSync: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "GetCognitoEvents": AwsResLow, "SetCognitoEvents": AwsResMid, }, }, AwsSvcDynamodb: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcEc2: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "DescribeSecurityGroups": AwsResLow, "DescribeSubnets": AwsResLow, "DescribeVpcs": AwsResLow, }, }, AwsSvcEvents: AwsSvcResource{ Sensitivity: AwsResLow, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcIam: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "GetPolicy": AwsResLow, "GetPolicyVersion": AwsResLow, "GetRole": AwsResLow, "GetRolePolicy": AwsResLow, "ListAttachedRolePolicies": AwsResLow, "ListRolePolicies": AwsResLow, "ListRoles": AwsResLow, "PassRole": AwsResMid, }, }, AwsSvcIot: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "AttachPrincipalPolicy": AwsResMid, "AttachThingPrincipal": AwsResMid, "CreateKeysAndCertificate": AwsResMid, "CreatePolicy": AwsResMid, "CreateThing": AwsResMid, "CreateTopicRule": AwsResMid, "DescribeEndpoint": AwsResLow, "GetTopicRule": AwsResLow, "ListPolicies": AwsResLow, "ListThings": AwsResLow, "ListTopicRules": AwsResLow, "ReplaceTopicRule": AwsResMid, }, }, AwsSvcKinesis: AwsSvcResource{ Sensitivity: AwsResMid, AllowAll: false, DetailMap: map[string]string{ "DescribeStream": AwsResLow, "ListStreams": AwsResLow, "PutRecord": AwsResMid, }, }, AwsSvcKms: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: false, DetailMap: map[string]string{ "ListAliases": AwsResLow, }, }, AwsSvcLambda: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcLogs: AwsSvcResource{ Sensitivity: AwsResLow, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcS3: AwsSvcResource{ Sensitivity: AwsResHigh, AllowAll: true, DetailMap: map[string]string{}, }, AwsSvcSns: AwsSvcResource{ Sensitivity: AwsResMid, AllowAll: false, DetailMap: map[string]string{ "ListSubscriptions": AwsResLow, "ListSubscriptionsByTopic": AwsResLow, "ListTopics": AwsResLow, "Publish": AwsResMid, "Subscribe": AwsResMid, "Unsubscribe": AwsResLow, "ListQueues": AwsResLow, "SendMessage": AwsResMid, }, }, AwsSvcSqs: AwsSvcResource{ Sensitivity: AwsResMid, AllowAll: false, DetailMap: map[string]string{ "ListQueues": AwsResLow, "SendMessage": AwsResMid, }, }, AwsSvcTag: AwsSvcResource{ Sensitivity: AwsResLow, AllowAll: false, DetailMap: map[string]string{ "GetResources": AwsResLow, }, }, AwsSvcXray: AwsSvcResource{ Sensitivity: AwsResLow, AllowAll: false, DetailMap: map[string]string{ "PutTelemetryRecords": AwsResLow, "PutTraceSegments": AwsResLow, }, }, }
View Source
var CrdResForOpsSettings = []NvAdmRegRuleSetting{ NvAdmRegRuleSetting{ Operations: utils.NewSet(Create, Update, Delete), Resources: crdResForAllOpSet, Scope: apiv1beta1.AllScopes, }, }
View Source
var ErrMethodNotSupported = errors.New("Method not supported")
View Source
var ErrResourceNotSupported = errors.New("Method on resource not supported")
View Source
var ErrUserNotFound = errors.New("User not found")
View Source
var NvAdmMutatingName = "neuvector-mutating-admission-webhook" // ValidatingWebhookConfiguration resource instance metadata name
ValidatingWebhookConfiguration resource instance (neuvector-validating-admission-webhook) contains 2 webhooks:
- neuvector-validating-admission-webhook.neuvector.svc
- neuvector-validating-status-webhook.neuvector.svc
View Source
var NvAdmMutatingWebhookName string
List all mutating application name here and join the list
View Source
var NvAdmSvcName = "neuvector-svc-admission-webhook"
View Source
var NvAdmSvcNamespace = "neuvector"
View Source
var NvAdmValidatingName = "neuvector-validating-admission-webhook" // ValidatingWebhookConfiguration resource instance metadata name
View Source
var NvAdmValidatingWebhookName string
List all validating application name here and join the list
View Source
var NvCrdSvcName = "neuvector-svc-crd-webhook"
View Source
var NvCrdValidatingName = "neuvector-validating-crd-webhook" // ValidatingWebhookConfiguration resource instance metadata name
View Source
var NvCrdValidatingWebhookName string
View Source
var NvListKind = "List"
View Source
var NvMutatingWebhookNameList = []string{NvAdmMutatingWebhookName}
View Source
var NvStatusValidatingWebhookName string
View Source
var NvValidatingWebhookNameList []string
View Source
var StatusResForOpsSettings = []NvAdmRegRuleSetting{ NvAdmRegRuleSetting{ Operations: utils.NewSet(Create, Update), Resources: statusResForCreateUpdateSet, Scope: apiv1beta1.NamespacedScope, }, NvAdmRegRuleSetting{ Operations: utils.NewSet(Delete), Resources: statusResForDeleteSet, Scope: apiv1beta1.NamespacedScope, }, }
Functions ¶
func AdjustAdmResForOC ¶
func AdjustAdmResForOC()
func AdjustAdmWebhookName ¶
func AdjustAdmWebhookName()
func DeduceAdmCtrlRoleRules ¶
func GetK8sVersion ¶
func GetTlsKeyCertPath ¶
func IsK8sNvWebhookConfigured ¶
func IsK8sNvWebhookConfigured(whName, failurePolicy string, wh *K8sAdmRegWebhook, checkNsSelector bool) bool
func Register ¶
func Register(platform, flavor, network string) orchAPI.ResourceDriver
Types ¶
type AwsSvcResource ¶
type CustomDeploymentStrategyParams ¶
type CustomDeploymentStrategyParams struct {
// Image specifies a Docker image which can carry out a deployment.
Image string `json:"image"`
// Environment holds the environment which will be given to the container for Image.
Environment []kapi.EnvVar `json:"environment,omitempty"`
// Command is optional and overrides CMD in the container Image.
Command []string `json:"command,omitempty"`
}
CustomDeploymentStrategyParams are the input to the Custom deployment strategy.
type DeploymentCause ¶
type DeploymentCause struct {
// Type is the type of the trigger that resulted in the creation of a new deployment
Type DeploymentTriggerType `json:"type"`
// ImageTrigger contains the image trigger details, if this trigger was fired based on an image change
ImageTrigger *DeploymentCauseImageTrigger `json:"imageTrigger,omitempty"`
}
DeploymentCause captures information about a particular cause of a deployment.
type DeploymentCauseImageTrigger ¶
type DeploymentCauseImageTrigger struct {
// From is a reference to the changed object which triggered a deployment. The field may have
// the kinds DockerImage, ImageStreamTag, or ImageStreamImage.
From kapi.ObjectReference `json:"from"`
}
DeploymentCauseImageTrigger contains information about a deployment caused by an image trigger
type DeploymentCondition ¶
type DeploymentCondition struct {
// Type of deployment condition.
Type DeploymentConditionType `json:"type"`
// Status of the condition, one of True, False, Unknown.
Status kapi.ConditionStatus `json:"status"`
// The last time this condition was updated.
LastUpdateTime metav1.Time `json:"lastUpdateTime"`
// The last time the condition transitioned from one status to another.
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// The reason for the condition's last transition.
Reason DeploymentConditionReason `json:"reason"`
// A human readable message indicating details about the transition.
Message string `json:"message"`
}
DeploymentCondition describes the state of a deployment config at a certain point.
type DeploymentConditionReason ¶
type DeploymentConditionReason string
type DeploymentConditionType ¶
type DeploymentConditionType string
type DeploymentConfig ¶
type DeploymentConfig struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec represents a desired deployment state and how to deploy to it.
Spec DeploymentConfigSpec `json:"spec"`
// Status represents the current deployment state.
Status DeploymentConfigStatus `json:"status"`
}
DeploymentConfig represents a configuration for a single deployment (represented as a ReplicationController). It also contains details about changes which resulted in the current state of the DeploymentConfig. Each change to the DeploymentConfig which should result in a new deployment results in an increment of LatestVersion.
type DeploymentConfigList ¶
type DeploymentConfigList struct {
metav1.TypeMeta `json:",inline"`
Metadata metav1.ListMeta `json:"metadata,omitempty"`
// Items is a list of deployment configs
Items []DeploymentConfig `json:"items,omitempty"`
}
DeploymentConfigList is a collection of deployment configs.
type DeploymentConfigRollback ¶
type DeploymentConfigRollback struct {
metav1.TypeMeta `json:",inline"`
// Name of the deployment config that will be rolled back.
Name string `json:"name"`
// UpdatedAnnotations is a set of new annotations that will be added in the deployment config.
UpdatedAnnotations map[string]string `json:"updatedAnnotations,omitempty"`
// Spec defines the options to rollback generation.
Spec DeploymentConfigRollbackSpec `json:"spec"`
}
DeploymentConfigRollback provides the input to rollback generation.
type DeploymentConfigRollbackSpec ¶
type DeploymentConfigRollbackSpec struct {
// From points to a ReplicationController which is a deployment.
From kapi.ObjectReference `json:"from"`
// Revision to rollback to. If set to 0, rollback to the last revision.
Revision int64 `json:"revision"`
// IncludeTriggers specifies whether to include config Triggers.
IncludeTriggers bool `json:"includeTriggers"`
// IncludeTemplate specifies whether to include the PodTemplateSpec.
IncludeTemplate bool `json:"includeTemplate"`
// IncludeReplicationMeta specifies whether to include the replica count and selector.
IncludeReplicationMeta bool `json:"includeReplicationmeta"`
// IncludeStrategy specifies whether to include the deployment Strategy.
IncludeStrategy bool `json:"includeStrategy"`
}
DeploymentConfigRollbackSpec represents the options for rollback generation.
type DeploymentConfigSpec ¶
type DeploymentConfigSpec struct {
// Strategy describes how a deployment is executed.
Strategy DeploymentStrategy `json:"strategy"`
// MinReadySeconds is the minimum number of seconds for which a newly created pod should
// be ready without any of its container crashing, for it to be considered available.
// Defaults to 0 (pod will be considered available as soon as it is ready)
MinReadySeconds int32 `json:"minReadySeconds"`
// Triggers determine how updates to a DeploymentConfig result in new deployments. If no triggers
// are defined, a new deployment can only occur as a result of an explicit client update to the
// DeploymentConfig with a new LatestVersion.
Triggers []DeploymentTriggerPolicy `json:"triggers,omitempty"`
// Replicas is the number of desired replicas.
Replicas int32 `json:"replicas"`
// RevisionHistoryLimit is the number of old ReplicationControllers to retain to allow for rollbacks.
// This field is a pointer to allow for differentiation between an explicit zero and not specified.
// Defaults to 10. (This only applies to DeploymentConfigs created via the new group API resource, not the legacy resource.)
RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
// Test ensures that this deployment config will have zero replicas except while a deployment is running. This allows the
// deployment config to be used as a continuous deployment test - triggering on images, running the deployment, and then succeeding
// or failing. Post strategy hooks and After actions can be used to integrate successful deployment with an action.
Test bool `json:"test"`
// Paused indicates that the deployment config is paused resulting in no new deployments on template
// changes or changes in the template caused by other triggers.
Paused bool `json:"paused"`
// Selector is a label query over pods that should match the Replicas count.
Selector map[string]string `json:"selector,omitempty"`
// Template is the object that describes the pod that will be created if
// insufficient replicas are detected.
Template *kapi.PodTemplateSpec `json:"template,omitempty"`
}
DeploymentConfigSpec represents the desired state of the deployment.
type DeploymentConfigStatus ¶
type DeploymentConfigStatus struct {
// LatestVersion is used to determine whether the current deployment associated with a deployment
// config is out of sync.
LatestVersion int64 `json:"latestVersion"`
// ObservedGeneration is the most recent generation observed by the deployment config controller.
ObservedGeneration int64 `json:"observedGeneration"`
// Replicas is the total number of pods targeted by this deployment config.
Replicas int32 `json:"replicas"`
// UpdatedReplicas is the total number of non-terminated pods targeted by this deployment config
// that have the desired template spec.
UpdatedReplicas int32 `json:"updatedReplicas"`
// AvailableReplicas is the total number of available pods targeted by this deployment config.
AvailableReplicas int32 `json:"availableReplicas"`
UnavailableReplicas int32 `json:"unavailableReplicas"`
// Details are the reasons for the update to this deployment config.
// This could be based on a change made by the user or caused by an automatic trigger
Details *DeploymentDetails `json:"details,omitempty"`
// Conditions represents the latest available observations of a deployment config's current state.
Conditions []DeploymentCondition `json:"conditions,omitempty"`
// Total number of ready pods targeted by this deployment.
ReadyReplicas int32 `json:"readyReplicas"`
}
DeploymentConfigStatus represents the current deployment state.
type DeploymentDetails ¶
type DeploymentDetails struct {
// Message is the user specified change message, if this deployment was triggered manually by the user
Message string `json:"message"`
// Causes are extended data associated with all the causes for creating a new deployment
Causes []DeploymentCause `json:"causes,omitempty"`
}
DeploymentDetails captures information about the causes of a deployment.
type DeploymentLog ¶
DeploymentLog represents the logs for a deployment
type DeploymentLogOptions ¶
type DeploymentLogOptions struct {
metav1.TypeMeta `json:",inline"`
// Container for which to return logs
Container string `json:"container"`
// Follow if true indicates that the deployment log should be streamed until
// the deployment terminates.
Follow bool `json:"follow"`
// If true, return previous deployment logs
Previous bool `json:"previous"`
// A relative time in seconds before the current time from which to show logs. If this value
// precedes the time a pod was started, only logs since the pod start will be returned.
// If this value is in the future, no logs will be returned.
// Only one of sinceSeconds or sinceTime may be specified.
SinceSeconds *int64 `json:"sinceSeconds,omitempty"`
// An RFC3339 timestamp from which to show logs. If this value
// precedes the time a pod was started, only logs since the pod start will be returned.
// If this value is in the future, no logs will be returned.
// Only one of sinceSeconds or sinceTime may be specified.
SinceTime *metav1.Time `json:"sinceTime,omitempty"`
// If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line
// of log output.
Timestamps bool `json:"timestamps"`
// If set, the number of lines from the end of the logs to show. If not specified,
// logs are shown from the creation of the container or sinceSeconds or sinceTime
TailLines *int64 `json:"tailLines,omitempty"`
// If set, the number of bytes to read from the server before terminating the
// log output. This may not display a complete final line of logging, and may return
// slightly more or slightly less than the specified limit.
LimitBytes *int64 `json:"limitBytes,omitempty"`
// NoWait if true causes the call to return immediately even if the deployment
// is not available yet. Otherwise the server will wait until the deployment has started.
NoWait bool `json:"noWait"`
// Version of the deployment for which to view logs.
Version *int64 `json:"version,omitempty"`
}
DeploymentLogOptions is the REST options for a deployment log
type DeploymentRequest ¶
type DeploymentRequest struct {
metav1.TypeMeta `json:",inline"`
// Name of the deployment config for requesting a new deployment.
Name string `json:"name"`
// Latest will update the deployment config with the latest state from all triggers.
Latest bool `json:"latest"`
// Force will try to force a new deployment to run. If the deployment config is paused,
// then setting this to true will return an Invalid error.
Force bool `json:"force"`
// ExcludeTriggers instructs the instantiator to avoid processing the specified triggers.
// This field overrides the triggers from latest and allows clients to control specific
// logic.
ExcludeTriggers []DeploymentTriggerType `json:"excludeTriggers,omitempty"`
}
DeploymentRequest is a request to a deployment config for a new deployment.
type DeploymentStrategy ¶
type DeploymentStrategy struct {
// Type is the name of a deployment strategy.
Type DeploymentStrategyType `json:"type"`
// CustomParams are the input to the Custom deployment strategy, and may also
// be specified for the Recreate and Rolling strategies to customize the execution
// process that runs the deployment.
CustomParams *CustomDeploymentStrategyParams `json:"customParams,omitempty"`
// RecreateParams are the input to the Recreate deployment strategy.
RecreateParams *RecreateDeploymentStrategyParams `json:"recreateParams,omitempty"`
// RollingParams are the input to the Rolling deployment strategy.
RollingParams *RollingDeploymentStrategyParams `json:"rollingParams,omitempty"`
// Resources contains resource requirements to execute the deployment and any hooks.
Resources kapi.ResourceRequirements `json:"resources"`
// Labels is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
Labels map[string]string `json:"labels,omitempty"`
// Annotations is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
Annotations map[string]string `json:"annotations,omitempty"`
// ActiveDeadlineSeconds is the duration in seconds that the deployer pods for this deployment
// config may be active on a node before the system actively tries to terminate them.
ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty"`
}
DeploymentStrategy describes how to perform a deployment.
type DeploymentStrategyType ¶
type DeploymentStrategyType string
DeploymentStrategyType refers to a specific DeploymentStrategy implementation.
const ( // DeploymentStrategyTypeRecreate is a simple strategy suitable as a default. DeploymentStrategyTypeRecreate DeploymentStrategyType = "Recreate" // DeploymentStrategyTypeCustom is a user defined strategy. DeploymentStrategyTypeCustom DeploymentStrategyType = "Custom" // DeploymentStrategyTypeRolling uses the Kubernetes RollingUpdater. DeploymentStrategyTypeRolling DeploymentStrategyType = "Rolling" )
type DeploymentTriggerImageChangeParams ¶
type DeploymentTriggerImageChangeParams struct {
// Automatic means that the detection of a new tag value should result in an image update
// inside the pod template.
Automatic bool `json:"automatic"`
// ContainerNames is used to restrict tag updates to the specified set of container names in a pod.
ContainerNames []string `json:"containerNames,omitempty"`
// From is a reference to an image stream tag to watch for changes. From.Name is the only
// required subfield - if From.Namespace is blank, the namespace of the current deployment
// trigger will be used.
From kapi.ObjectReference `json:"from"`
// LastTriggeredImage is the last image to be triggered.
LastTriggeredImage string `json:"lastTriggeredImage"`
}
DeploymentTriggerImageChangeParams represents the parameters to the ImageChange trigger.
type DeploymentTriggerPolicy ¶
type DeploymentTriggerPolicy struct {
// Type of the trigger
Type DeploymentTriggerType `json:"type"`
// ImageChangeParams represents the parameters for the ImageChange trigger.
ImageChangeParams *DeploymentTriggerImageChangeParams `json:"imageChangeParams,omitempty"`
}
DeploymentTriggerPolicy describes a policy for a single trigger that results in a new deployment.
type DeploymentTriggerType ¶
type DeploymentTriggerType string
DeploymentTriggerType refers to a specific DeploymentTriggerPolicy implementation.
const ( // DeploymentTriggerManual is a placeholder implementation which does nothing. DeploymentTriggerManual DeploymentTriggerType = "Manual" // DeploymentTriggerOnImageChange will create new deployments in response to updated tags from // a Docker image repository. DeploymentTriggerOnImageChange DeploymentTriggerType = "ImageChange" // DeploymentTriggerOnConfigChange will create new deployments in response to changes to // the ControllerTemplate of a DeploymentConfig. DeploymentTriggerOnConfigChange DeploymentTriggerType = "ConfigChange" )
type ExecNewPodHook ¶
type ExecNewPodHook struct {
// Command is the action command and its arguments.
Command []string `json:"command,omitempty"`
// Env is a set of environment variables to supply to the hook pod's container.
Env []kapi.EnvVar `json:"env,omitempty"`
// ContainerName is the name of a container in the deployment pod template
// whose Docker image will be used for the hook pod's container.
ContainerName string `json:"containerName"`
// Volumes is a list of named volumes from the pod template which should be
// copied to the hook pod. Volumes names not found in pod spec are ignored.
// An empty list means no volumes will be copied.
Volumes []string `json:"volumes,omitempty"`
}
ExecNewPodHook is a hook implementation which runs a command in a new pod based on the specified container which is assumed to be part of the deployment template.
type K8sAdmRegRule ¶
type K8sAdmRegRuleWithOperations ¶
type K8sAdmRegRuleWithOperations struct {
Operations []string
Rule *K8sAdmRegRule
}
type K8sAdmRegServiceReference ¶
--- for generic types in admissionregistration v1/vebeta1
type K8sAdmRegValidatingWebhookConfiguration ¶
type K8sAdmRegValidatingWebhookConfiguration struct {
Metadata *metav1.ObjectMeta
Webhooks []*K8sAdmRegWebhook
}
type K8sAdmRegWebhook ¶
type K8sAdmRegWebhook struct {
Name *string
AdmissionReviewVersions []string
ClientConfig *K8sAdmRegWebhookClientConfig
Rules []*K8sAdmRegRuleWithOperations
FailurePolicy *string
NamespaceSelector *metav1.LabelSelector
SideEffects *string
}
type K8sAdmRegWebhookClientConfig ¶
type K8sAdmRegWebhookClientConfig struct {
Url *string
Service *K8sAdmRegServiceReference
CaBundle []byte
}
type LifecycleHook ¶
type LifecycleHook struct {
// FailurePolicy specifies what action to take if the hook fails.
FailurePolicy LifecycleHookFailurePolicy `json:"failurePolicy"`
// ExecNewPod specifies the options for a lifecycle hook backed by a pod.
ExecNewPod *ExecNewPodHook `json:"execNewPod,omitempty"`
// TagImages instructs the deployer to tag the current image referenced under a container onto an image stream tag.
TagImages []TagImageHook `json:"tagImages,omitempty"`
}
LifecycleHook defines a specific deployment lifecycle action. Only one type of action may be specified at any time.
type LifecycleHookFailurePolicy ¶
type LifecycleHookFailurePolicy string
LifecycleHookFailurePolicy describes possibles actions to take if a hook fails.
const ( // LifecycleHookFailurePolicyRetry means retry the hook until it succeeds. LifecycleHookFailurePolicyRetry LifecycleHookFailurePolicy = "Retry" // LifecycleHookFailurePolicyAbort means abort the deployment. LifecycleHookFailurePolicyAbort LifecycleHookFailurePolicy = "Abort" // LifecycleHookFailurePolicyIgnore means ignore failure and continue the deployment. LifecycleHookFailurePolicyIgnore LifecycleHookFailurePolicy = "Ignore" )
type NvAdmCtrlSecurityRule ¶
type NvAdmCtrlSecurityRule struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ObjectMeta `json:"metadata"`
Spec NvSecurityAdmCtrlSpec `json:"spec"`
}
func (*NvAdmCtrlSecurityRule) GetMetadata ¶
func (m *NvAdmCtrlSecurityRule) GetMetadata() *metav1.ObjectMeta
type NvAdmCtrlSecurityRuleList ¶
type NvAdmCtrlSecurityRuleList struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ListMeta `json:"metadata"`
Items []*NvAdmCtrlSecurityRule `json:"items"`
XXX_unrecognized []byte `json:"-"`
}
func (*NvAdmCtrlSecurityRuleList) GetMetadata ¶
func (m *NvAdmCtrlSecurityRuleList) GetMetadata() *metav1.ListMeta
type NvAdmRegRuleSetting ¶
type NvClusterSecurityRule ¶
type NvClusterSecurityRule struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ObjectMeta `json:"metadata"`
Spec NvSecurityRuleSpec `json:"spec"`
}
func (*NvClusterSecurityRule) GetMetadata ¶
func (m *NvClusterSecurityRule) GetMetadata() *metav1.ObjectMeta
type NvClusterSecurityRuleList ¶
type NvClusterSecurityRuleList struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ListMeta `json:"metadata"`
Items []*NvClusterSecurityRule `json:"items"`
XXX_unrecognized []byte `json:"-"`
}
func (*NvClusterSecurityRuleList) GetMetadata ¶
func (m *NvClusterSecurityRuleList) GetMetadata() *metav1.ListMeta
type NvCrdAdmCtrlConfig ¶
type NvCrdAdmCtrlRule ¶
type NvCrdAdmCtrlRule struct {
ID uint32 `json:"id"` // only set for default rules
RuleType string `json:"rule_type"` // ValidatingExceptRuleType / ValidatingDenyRuleType (see above)
Comment string `json:"comment"`
Criteria []*api.RESTAdmRuleCriterion `json:"criteria,omitempty"`
Disabled bool `json:"disabled"`
}
type NvSecurityAdmCtrlConfig ¶
type NvSecurityAdmCtrlConfig struct {
Enable *bool `json:"enable,omitempty"`
Mode *string `json:"mode,omitempty"`
AdmClientMode *string `json:"client_mode" validate:"required"`
}
admission control CRD resourced are non-namespaced
type NvSecurityAdmCtrlRule ¶
type NvSecurityAdmCtrlRule struct {
ID *uint32 `json:"id,omitempty"`
Action *string `json:"action,omitempty"` // api.ValidatingAllowRuleType / api.ValidatingDenyRuleType
Comment *string `json:"comment,omitempty"`
Disabled *bool `json:"disabled,omitempty"`
Criteria []*api.RESTAdmRuleCriterion `json:"criteria,omitempty"`
}
type NvSecurityAdmCtrlRules ¶
type NvSecurityAdmCtrlRules struct {
Rules []*NvSecurityAdmCtrlRule `json:"rules,omitempty"`
}
type NvSecurityAdmCtrlSpec ¶
type NvSecurityAdmCtrlSpec struct {
Config *NvSecurityAdmCtrlConfig `json:"config,omitempty"`
Rules []*NvSecurityAdmCtrlRule `json:"rules,omitempty"`
}
type NvSecurityFileRule ¶
type NvSecurityParse ¶
type NvSecurityParse struct {
TargetName string
PolicyModeCfg *api.RESTServiceConfig
ProcessProfileCfg *api.RESTProcessProfile
FileProfileCfg *api.RESTFileMonitorProfile
GroupCfgs []api.RESTCrdGroupConfig
RuleCfgs []api.RESTPolicyRuleConfig
WafGroupCfg *api.RESTCrdWafGroupConfig // per-group's waf sensor configuration
AdmCtrlCfg *NvCrdAdmCtrlConfig
AdmCtrlRulesCfg map[string][]*NvCrdAdmCtrlRule // map key is "deny" / "exception"
WafSensorCfg *api.RESTWafSensorConfig // waf sensor defined by this crd object
}
type NvSecurityProcessProfile ¶
type NvSecurityProcessProfile struct {
Baseline *string `json:"baseline"`
}
type NvSecurityProcessRule ¶
type NvSecurityRule ¶
type NvSecurityRule struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ObjectMeta `json:"metadata"`
Spec NvSecurityRuleSpec `json:"spec"`
}
func (*NvSecurityRule) GetMetadata ¶
func (m *NvSecurityRule) GetMetadata() *metav1.ObjectMeta
type NvSecurityRuleDetail ¶
type NvSecurityRuleList ¶
type NvSecurityRuleList struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ListMeta `json:"metadata"`
Items []*NvSecurityRule `json:"items"`
XXX_unrecognized []byte `json:"-"`
}
func (*NvSecurityRuleList) GetMetadata ¶
func (m *NvSecurityRuleList) GetMetadata() *metav1.ListMeta
type NvSecurityRulePartial ¶
type NvSecurityRulePartial struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ObjectMeta `json:"metadata"`
XXX_unrecognized []byte `json:"-"`
}
type NvSecurityRuleSpec ¶
type NvSecurityRuleSpec struct {
Target NvSecurityTarget `json:"target"`
IngressRule []NvSecurityRuleDetail `json:"ingress"`
EgressRule []NvSecurityRuleDetail `json:"egress"`
ProcessProfile *NvSecurityProcessProfile `json:"process_profile"`
ProcessRule []NvSecurityProcessRule `json:"process"`
FileRule []NvSecurityFileRule `json:"file"`
WafGroup *NvSecurityWafGroup `json:"waf"` // per-group's waf sensor mapping data
}
type NvSecurityTarget ¶
type NvSecurityTarget struct {
PolicyMode *string `json:"policymode, omitempty"`
Selector api.RESTCrdGroupConfig `json:"selector"`
}
type NvSecurityWafGroup ¶
type NvSecurityWafGroup struct {
Status bool `json:"status"`
Settings []api.RESTCrdWafGroupSetting `json:"settings"`
}
type NvSecurityWafRule ¶
type NvSecurityWafRule struct {
Name *string `json:"name"`
Patterns []api.RESTWafCriteriaEntry `json:"patterns"`
}
type NvSecurityWafSensor ¶
type NvSecurityWafSensor struct {
Name string `json:"name"`
Comment *string `json:"comment"`
RuleList []*NvSecurityWafRule `json:"rules"`
}
type NvSecurityWafSpec ¶
type NvSecurityWafSpec struct {
Sensor *NvSecurityWafSensor `json:"sensor"`
}
type NvWafSecurityRule ¶
type NvWafSecurityRule struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ObjectMeta `json:"metadata"`
Spec NvSecurityWafSpec `json:"spec"`
}
func (*NvWafSecurityRule) GetMetadata ¶
func (m *NvWafSecurityRule) GetMetadata() *metav1.ObjectMeta
type NvWafSecurityRuleList ¶
type NvWafSecurityRuleList struct {
Kind *string `json:"kind,omitempty"`
ApiVersion *string `json:"apiVersion,omitempty"`
Metadata *metav1.ListMeta `json:"metadata"`
Items []*NvWafSecurityRule `json:"items"`
XXX_unrecognized []byte `json:"-"`
}
func (*NvWafSecurityRuleList) GetMetadata ¶
func (m *NvWafSecurityRuleList) GetMetadata() *metav1.ListMeta
type RecreateDeploymentStrategyParams ¶
type RecreateDeploymentStrategyParams struct {
// TimeoutSeconds is the time to wait for updates before giving up. If the
// value is nil, a default will be used.
TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
// Pre is a lifecycle hook which is executed before the strategy manipulates
// the deployment. All LifecycleHookFailurePolicy values are supported.
Pre *LifecycleHook `json:"pre,omitempty"`
// Mid is a lifecycle hook which is executed while the deployment is scaled down to zero before the first new
// pod is created. All LifecycleHookFailurePolicy values are supported.
Mid *LifecycleHook `json:"mid,omitempty"`
// Post is a lifecycle hook which is executed after the strategy has
// finished all deployment logic. All LifecycleHookFailurePolicy values are supported.
Post *LifecycleHook `json:"post,omitempty"`
}
RecreateDeploymentStrategyParams are the input to the Recreate deployment strategy.
type RollingDeploymentStrategyParams ¶
type RollingDeploymentStrategyParams struct {
// UpdatePeriodSeconds is the time to wait between individual pod updates.
// If the value is nil, a default will be used.
UpdatePeriodSeconds *int64 `json:"failurePolicyFailurePolicy,omitempty"`
// IntervalSeconds is the time to wait between polling deployment status
// after update. If the value is nil, a default will be used.
IntervalSeconds *int64 `json:"intervalSeconds,omitempty"`
// TimeoutSeconds is the time to wait for updates before giving up. If the
// value is nil, a default will be used.
TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
// during the update. Value can be an absolute number (ex: 5) or a
// percentage of total pods at the start of update (ex: 10%). Absolute
// number is calculated from percentage by rounding down.
//
// This cannot be 0 if MaxSurge is 0. By default, 25% is used.
//
// Example: when this is set to 30%, the old RC can be scaled down by 30%
// immediately when the rolling update starts. Once new pods are ready, old
// RC can be scaled down further, followed by scaling up the new RC,
// ensuring that at least 70% of original number of pods are available at
// all times during the update.
MaxUnavailable intstr.IntOrString `json:"maxUnavailable"`
// MaxSurge is the maximum number of pods that can be scheduled above the
// original number of pods. Value can be an absolute number (ex: 5) or a
// percentage of total pods at the start of the update (ex: 10%). Absolute
// number is calculated from percentage by rounding up.
//
// This cannot be 0 if MaxUnavailable is 0. By default, 25% is used.
//
// Example: when this is set to 30%, the new RC can be scaled up by 30%
// immediately when the rolling update starts. Once old pods have been
// killed, new RC can be scaled up further, ensuring that total number of
// pods running at any time during the update is atmost 130% of original
// pods.
MaxSurge intstr.IntOrString `json:"maxSurge"`
// Pre is a lifecycle hook which is executed before the deployment process
// begins. All LifecycleHookFailurePolicy values are supported.
Pre *LifecycleHook `json:"pre,omitempty"`
// Post is a lifecycle hook which is executed after the strategy has
// finished all deployment logic. All LifecycleHookFailurePolicy values
// are supported.
Post *LifecycleHook `json:"post,omitempty"`
}
RollingDeploymentStrategyParams are the input to the Rolling deployment strategy.
type TagImageHook ¶
type TagImageHook struct {
// ContainerName is the name of a container in the deployment config whose image value will be used as the source of the tag. If there is only a single
// container this value will be defaulted to the name of that container.
ContainerName string `json:"containerName"`
// To is the target ImageStreamTag to set the container's image onto.
To kapi.ObjectReference `json:"to"`
}
TagImageHook is a request to tag the image in a particular container onto an ImageStreamTag.
Source Files
Click to show internal directories.
Click to hide internal directories.