v1

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 21, 2024 License: Apache-2.0 Imports: 11 Imported by: 12

Documentation

Overview

Package v1 contains API Schema definitions for the policy v1 API group +kubebuilder:object:generate=true +groupName=policy.open-cluster-management.io

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "policy.open-cluster-management.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var ErrIsNever = errors.New("the interval is set to never")

Functions

This section is empty.

Types

type ComplianceState 

type ComplianceState string

ComplianceState reports the observed status from the definitions of the policy.

+kubebuilder:validation:Enum=Compliant;Pending;NonCompliant;Terminating 

const (
	Compliant         ComplianceState = "Compliant"
	NonCompliant      ComplianceState = "NonCompliant"
	UnknownCompliancy ComplianceState = "UnknownCompliancy"
	Terminating       ComplianceState = "Terminating"
)

type ComplianceType 

type ComplianceType string

ComplianceType describes how objects on the cluster should be compared with the object definition of the configuration policy. The supported options are `MustHave`, `MustOnlyHave`, or `MustNotHave`.

+kubebuilder:validation:Enum=MustHave;Musthave;musthave;MustOnlyHave;Mustonlyhave;mustonlyhave;MustNotHave;Mustnothave;mustnothave 

const (
	// MustNotHave is a ComplianceType to not match an object definition.
	MustNotHave ComplianceType = "MustNotHave"

	// MustHave is a ComplianceType to match an object definition as a subset of the whole object.
	MustHave ComplianceType = "MustHave"

	// MustOnlyHave is a ComplianceType to match an object definition exactly with the object.
	MustOnlyHave ComplianceType = "MustOnlyHave"
)

func (ComplianceType) IsMustHave added in v0.13.0 

func (c ComplianceType) IsMustHave() bool

func (ComplianceType) IsMustNotHave added in v0.13.0 

func (c ComplianceType) IsMustNotHave() bool

func (ComplianceType) IsMustOnlyHave added in v0.13.0 

func (c ComplianceType) IsMustOnlyHave() bool

type Condition 

type Condition struct {
	// Type is the type of condition. The supported options are `violation` or `notification`.
	Type string `json:"type"`

	// Status is an unused field. If set, it's set to `True`.
	Status corev1.ConditionStatus `json:"status,omitempty" protobuf:"bytes,12,rep,name=status"`

	// LastTransitionTime is the most recent time the condition transitioned to the current condition.
	//
	// +optional
	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`

	// Reason is a brief summary for the condition.
	//
	// +optional
	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`

	// Message is a human-readable message indicating details about the condition.
	//
	// +optional
	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
}

Condition contains the details of an evaluation of an `object-template`.

func (*Condition) DeepCopy 

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto 

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConfigurationPolicy 

type ConfigurationPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   *ConfigurationPolicySpec  `json:"spec,omitempty"`
	Status ConfigurationPolicyStatus `json:"status,omitempty"`
}

ConfigurationPolicy is the schema for the configurationpolicies API. A configuration policy contains, in whole or in part, an object definition to compare with objects on the cluster. If the definition of the configuration policy doesn't match the objects on the cluster, a noncompliant status is displayed. Furthermore, if the RemediationAction is set to `enforce` and the name of the object is available, the configuration policy controller creates or updates the object to match in order to make the configuration policy compliant.

+kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Compliance state",type="string",JSONPath=".status.compliant"

func (*ConfigurationPolicy) DeepCopy 

func (in *ConfigurationPolicy) DeepCopy() *ConfigurationPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationPolicy.

func (*ConfigurationPolicy) DeepCopyInto 

func (in *ConfigurationPolicy) DeepCopyInto(out *ConfigurationPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ConfigurationPolicy) DeepCopyObject 

func (in *ConfigurationPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ConfigurationPolicyList 

type ConfigurationPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ConfigurationPolicy `json:"items"`
}

ConfigurationPolicyList contains a list of configuration policies.

+kubebuilder:object:root=true

func (*ConfigurationPolicyList) DeepCopy 

func (in *ConfigurationPolicyList) DeepCopy() *ConfigurationPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationPolicyList.

func (*ConfigurationPolicyList) DeepCopyInto 

func (in *ConfigurationPolicyList) DeepCopyInto(out *ConfigurationPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ConfigurationPolicyList) DeepCopyObject 

func (in *ConfigurationPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ConfigurationPolicySpec 

type ConfigurationPolicySpec struct {
	Severity           Severity           `json:"severity,omitempty"`
	RemediationAction  RemediationAction  `json:"remediationAction"`
	EvaluationInterval EvaluationInterval `json:"evaluationInterval,omitempty"`
	// +kubebuilder:default:=None
	PruneObjectBehavior PruneObjectBehavior `json:"pruneObjectBehavior,omitempty"`

	// NamespaceSelector defines the list of namespaces to include or exclude for objects defined in
	// `spec["object-templates"]`. All selector rules are combined. If 'include' is not provided but
	// `matchLabels` and/or `matchExpressions` are, `include` will behave as if `['*']` were given. If
	// `matchExpressions` and `matchLabels` are both not provided, `include` must be provided to
	// retrieve namespaces.
	NamespaceSelector Target `json:"namespaceSelector,omitempty"`

	// The `object-templates` is an array of object configurations for the configuration policy to
	// check, create, modify, or delete objects on the cluster. Keys inside of the objectDefinition in
	// an object template may point to values that have Go templates. For more advanced Go templating
	// such as `range` loops and `if` conditionals, use `object-templates-raw`. Only one of
	// `object-templates` and `object-templates-raw` can be set in a configuration policy. For more on
	// the Go templates, see https://github.com/stolostron/go-template-utils/blob/main/README.md.
	ObjectTemplates []*ObjectTemplate `json:"object-templates,omitempty"`

	// The `object-templates-raw` is a string containing Go templates that must ultimately produce an
	// array of object configurations in YAML format to be used as `object-templates`. Only one of
	// `object-templates` and `object-templates-raw` can be set in a configuration policy. For more on
	// the Go templates, see https://github.com/stolostron/go-template-utils/blob/main/README.md.
	ObjectTemplatesRaw string `json:"object-templates-raw,omitempty"`
}

ConfigurationPolicySpec defines the desired configuration of objects on the cluster, along with how the controller should handle when the cluster doesn't match the configuration policy.

func (*ConfigurationPolicySpec) DeepCopy 

func (in *ConfigurationPolicySpec) DeepCopy() *ConfigurationPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationPolicySpec.

func (*ConfigurationPolicySpec) DeepCopyInto 

func (in *ConfigurationPolicySpec) DeepCopyInto(out *ConfigurationPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConfigurationPolicyStatus 

type ConfigurationPolicyStatus struct {
	ComplianceState ComplianceState `json:"compliant,omitempty"`

	// CompliancyDetails is a list of statuses matching one-to-one with each of the items in the
	// `object-templates` array.
	CompliancyDetails []TemplateStatus `json:"compliancyDetails,omitempty"`

	// LastEvaluated is an ISO-8601 timestamp of the last time the policy was evaluated.
	LastEvaluated string `json:"lastEvaluated,omitempty"`

	// LastEvaluatedGeneration is the generation of the ConfigurationPolicy object when it was last
	// evaluated.
	LastEvaluatedGeneration int64 `json:"lastEvaluatedGeneration,omitempty"`

	// RelatedObjects is a list of objects processed by the configuration policy due to its
	// `object-templates`.
	RelatedObjects []RelatedObject `json:"relatedObjects,omitempty"`
}

ConfigurationPolicyStatus is the observed status of the configuration policy from its object definitions.

func (*ConfigurationPolicyStatus) DeepCopy 

func (in *ConfigurationPolicyStatus) DeepCopy() *ConfigurationPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationPolicyStatus.

func (*ConfigurationPolicyStatus) DeepCopyInto 

func (in *ConfigurationPolicyStatus) DeepCopyInto(out *ConfigurationPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EvaluationInterval added in v0.7.0 

type EvaluationInterval struct {
	// Compliant is the minimum elapsed time before a configuration policy is reevaluated when in the
	// compliant state. Set this to `never` to disable reevaluation when in the compliant state.
	//
	//+kubebuilder:validation:Pattern=`^(?:(?:(?:[0-9]+(?:.[0-9])?)(?:h|m|s|(?:ms)|(?:us)|(?:ns)))|never)+$`
	Compliant string `json:"compliant,omitempty"`
	// NonCompliant is the minimum elapsed time before a configuration policy is reevaluated when in
	// the noncompliant state. Set this to `never` to disable reevaluation when in the noncompliant
	// state.
	//
	//+kubebuilder:validation:Pattern=`^(?:(?:(?:[0-9]+(?:.[0-9])?)(?:h|m|s|(?:ms)|(?:us)|(?:ns)))|never)+$`
	NonCompliant string `json:"noncompliant,omitempty"`
}

EvaluationInterval configures the minimum elapsed time before a configuration policy is reevaluated. If the policy spec is changed, or if the list of namespaces selected by the policy changes, the policy might be evaluated regardless of the settings here.

func (*EvaluationInterval) DeepCopy added in v0.8.0 

func (in *EvaluationInterval) DeepCopy() *EvaluationInterval

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationInterval.

func (*EvaluationInterval) DeepCopyInto added in v0.8.0 

func (in *EvaluationInterval) DeepCopyInto(out *EvaluationInterval)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (EvaluationInterval) GetCompliantInterval added in v0.7.0 

func (e EvaluationInterval) GetCompliantInterval() (time.Duration, error)

GetCompliantInterval converts the Compliant interval to a duration. ErrIsNever is returned when the string is set to `never`.

func (EvaluationInterval) GetNonCompliantInterval added in v0.7.0 

func (e EvaluationInterval) GetNonCompliantInterval() (time.Duration, error)

GetNonCompliantInterval converts the NonCompliant interval to a duration. ErrIsNever is returned when the string is set to `never`.

type MetadataComplianceType added in v0.7.0 

type MetadataComplianceType string

MetadataComplianceType describes how the labels and annotations of objects on the cluster should be compared with the object definition of the configuration policy. The supported options are `MustHave` or `MustOnlyHave`. The default value is the value defined in `complianceType` for the object template.

+kubebuilder:validation:Enum=MustHave;Musthave;musthave;MustOnlyHave;Mustonlyhave;mustonlyhave

type NonEmptyString 

type NonEmptyString string

+kubebuilder:validation:MinLength=1

type ObjectMetadata 

type ObjectMetadata struct {
	// Name of the related object.
	Name string `json:"name,omitempty"`

	// Namespace of the related object.
	Namespace string `json:"namespace,omitempty"`
}

ObjectMetadata contains the metadata for an object matched by the configuration policy.

func (*ObjectMetadata) DeepCopy 

func (in *ObjectMetadata) DeepCopy() *ObjectMetadata

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetadata.

func (*ObjectMetadata) DeepCopyInto 

func (in *ObjectMetadata) DeepCopyInto(out *ObjectMetadata)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ObjectProperties added in v0.8.0 

type ObjectProperties struct {
	// CreatedByPolicy reports whether the object was created by the configuration policy, which is
	// important when pruning is configured.
	CreatedByPolicy *bool `json:"createdByPolicy,omitempty"`

	// UID stores the object UID to help track object ownership for deletion when pruning is
	// configured.
	UID string `json:"uid,omitempty"`

	// Diff stores the difference between the `objectDefinition` in the policy and the object on the
	// cluster.
	Diff string `json:"diff,omitempty"`
}

Properties are additional properties of the related object relevant to the configuration policy.

func (*ObjectProperties) DeepCopy added in v0.10.0 

func (in *ObjectProperties) DeepCopy() *ObjectProperties

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectProperties.

func (*ObjectProperties) DeepCopyInto added in v0.10.0 

func (in *ObjectProperties) DeepCopyInto(out *ObjectProperties)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ObjectResource 

type ObjectResource struct {
	Metadata ObjectMetadata `json:"metadata,omitempty"`

	// Kind of the related object.
	Kind string `json:"kind,omitempty"`

	// API version of the related object.
	APIVersion string `json:"apiVersion,omitempty"`
}

ObjectResource contains details about an object matched by the configuration policy.

func ObjectResourceFromObj added in v0.13.0 

func ObjectResourceFromObj(obj client.Object) ObjectResource

ObjectResourceFromObj mutates a Kubernetes object into an ObjectResource type to populate the policy status with related objects.

func (*ObjectResource) DeepCopy 

func (in *ObjectResource) DeepCopy() *ObjectResource

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectResource.

func (*ObjectResource) DeepCopyInto 

func (in *ObjectResource) DeepCopyInto(out *ObjectResource)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ObjectTemplate 

type ObjectTemplate struct {
	ComplianceType         ComplianceType         `json:"complianceType"`
	MetadataComplianceType MetadataComplianceType `json:"metadataComplianceType,omitempty"`

	// RecreateOption describes when to delete and recreate an object when an update is required. When you set the
	// object to `IfRequired`, the policy recreates the object when updating an immutable field. When you set the
	// parameter to `Always`, the policy recreates the object on any update. When you set the `remediationAction` to
	// `inform`, the parameter value, `recreateOption`, has no effect on the object. The `IfRequired` value has no
	// effect on clusters without dry-run update support. The default value is `None`.
	//+kubebuilder:default=None
	RecreateOption RecreateOption `json:"recreateOption,omitempty"`

	// ObjectDefinition defines required fields to be compared with objects on the cluster.
	//
	// +kubebuilder:pruning:PreserveUnknownFields
	ObjectDefinition runtime.RawExtension `json:"objectDefinition"`

	// RecordDiff specifies whether and where to log the difference between the object on the cluster
	// and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to
	// record the difference in the policy status field, `Log` to log the difference in the
	// `config-policy-controller` pod, and `None` to not log the difference. The default value is
	// `None` for object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
	// `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition`
	// references sensitive data. For all other kinds, the default value is `InStatus`.
	RecordDiff RecordDiff `json:"recordDiff,omitempty"`
}

ObjectTemplate describes the desired state of an object on the cluster.

func (*ObjectTemplate) DeepCopy 

func (in *ObjectTemplate) DeepCopy() *ObjectTemplate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectTemplate.

func (*ObjectTemplate) DeepCopyInto 

func (in *ObjectTemplate) DeepCopyInto(out *ObjectTemplate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ObjectTemplate) RecordDiffWithDefault added in v0.14.0 

func (o *ObjectTemplate) RecordDiffWithDefault() RecordDiff

RecordDiffWithDefault parses the `objectDefinition` in the policy for the kind and returns the default `recordDiff` value depending on whether the kind contains sensitive data.

type PruneObjectBehavior added in v0.8.0 

type PruneObjectBehavior string

PruneObjectBehavior is used to remove objects that are managed by the policy upon either case: a change to the policy that causes an object to no longer be managed by the policy, or the deletion of the policy.

+kubebuilder:validation:Enum=DeleteAll;DeleteIfCreated;None

type RecordDiff added in v0.13.0 

type RecordDiff string

+kubebuilder:validation:Enum=Log;InStatus;None 

const (
	RecordDiffLog      RecordDiff = "Log"
	RecordDiffInStatus RecordDiff = "InStatus"
	RecordDiffNone     RecordDiff = "None"
	// Censored is only used as an internal value to indicate a diff shouldn't be automatically generated.
	RecordDiffCensored RecordDiff = "Censored"
)

type RecreateOption added in v0.14.0 

type RecreateOption string

+kubebuilder:validation:Enum=None;IfRequired;Always 

const (
	None       RecreateOption = "None"
	IfRequired RecreateOption = "IfRequired"
	Always     RecreateOption = "Always"
)

type RelatedObject 

type RelatedObject struct {
	Properties *ObjectProperties `json:"properties,omitempty"`

	// ObjectResource contains the identifying fields of the related object.
	Object ObjectResource `json:"object,omitempty"`

	// Compliant represents whether the related object is compliant with the definition of the policy.
	Compliant string `json:"compliant,omitempty"`

	// Reason is a human-readable message of why the related object has a particular compliance.
	Reason string `json:"reason,omitempty"`
}

RelatedObject contains the details of an object matched by the policy.

func (*RelatedObject) DeepCopy 

func (in *RelatedObject) DeepCopy() *RelatedObject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelatedObject.

func (*RelatedObject) DeepCopyInto 

func (in *RelatedObject) DeepCopyInto(out *RelatedObject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RemediationAction 

type RemediationAction string

RemediationAction is the remediation of the policy. The parameter values are `enforce` and `inform`.

+kubebuilder:validation:Enum=Inform;inform;Enforce;enforce 

const (
	Enforce RemediationAction = "Enforce"
	Inform  RemediationAction = "Inform"
)

func (RemediationAction) IsEnforce added in v0.13.0 

func (ra RemediationAction) IsEnforce() bool

func (RemediationAction) IsInform added in v0.13.0 

func (ra RemediationAction) IsInform() bool

type Severity 

type Severity string

Severity is a user-defined severity for when an object is noncompliant with this configuration policy. The supported options are `low`, `medium`, `high`, and `critical`.

+kubebuilder:validation:Enum=low;Low;medium;Medium;high;High;critical;Critical

type Target 

type Target struct {
	// Include is an array of filepath expressions to include objects by name.
	Include []NonEmptyString `json:"include,omitempty"`

	// Exclude is an array of filepath expressions to exclude objects by name.
	Exclude []NonEmptyString `json:"exclude,omitempty"`

	// MatchLabels is a map of {key,value} pairs matching objects by label.
	MatchLabels *map[string]string `json:"matchLabels,omitempty"`

	// MatchExpressions is an array of label selector requirements matching objects by label.
	MatchExpressions *[]metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"`
}

func (*Target) DeepCopy 

func (in *Target) DeepCopy() *Target

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target.

func (*Target) DeepCopyInto 

func (in *Target) DeepCopyInto(out *Target)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (Target) String added in v0.8.0 

func (t Target) String() string

Define String() so that the LabelSelector is dereferenced in the logs

type TemplateStatus 

type TemplateStatus struct {
	ComplianceState ComplianceState `json:"Compliant,omitempty"`

	// Conditions contains the details from the latest evaluation of the `object-template`.
	//
	// +optional
	// +patchMergeKey=type
	// +patchStrategy=merge
	Conditions []Condition `json:"conditions,omitempty"`

	// Deprecated
	Validity Validity `json:"Validity,omitempty"`
}

TemplateStatus reports the compliance details from the definitions in an `object-template`.

func (*TemplateStatus) DeepCopy 

func (in *TemplateStatus) DeepCopy() *TemplateStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateStatus.

func (*TemplateStatus) DeepCopyInto 

func (in *TemplateStatus) DeepCopyInto(out *TemplateStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Validity 

type Validity struct {
	Valid  *bool  `json:"valid,omitempty"`
	Reason string `json:"reason,omitempty"`
}

func (*Validity) DeepCopy 

func (in *Validity) DeepCopy() *Validity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validity.

func (*Validity) DeepCopyInto 

func (in *Validity) DeepCopyInto(out *Validity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.