Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
Index ¶
- Variables
- type Condition
- type ConditionReason
- type ConditionType
- type ConditionedStatus
- func (in *ConditionedStatus) DeepCopy() *ConditionedStatus
- func (in *ConditionedStatus) DeepCopyInto(out *ConditionedStatus)
- func (s *ConditionedStatus) Equal(other *ConditionedStatus) bool
- func (s *ConditionedStatus) GetReadyCondition() Condition
- func (s *ConditionedStatus) SetConditions(c ...Condition)
- type SPODSpec
- type SPODState
- type SPODStatus
- type SecurityProfilesOperatorDaemon
- type SecurityProfilesOperatorDaemonList
- type SelinuxOptions
- type WebhookOptions
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects. GroupVersion = schema.GroupVersion{Group: "security-profiles-operator.x-k8s.io", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme. SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type Condition ¶ added in v0.6.0
type Condition struct {
// Type of this condition. At most one of each condition type may apply to
// a resource at any point in time.
Type ConditionType `json:"type"`
// Status of this condition; is it currently True, False, or Unknown?
Status corev1.ConditionStatus `json:"status"`
// LastTransitionTime is the last time this condition transitioned from one
// status to another.
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// A Reason for this condition's last transition from one status to another.
Reason ConditionReason `json:"reason"`
// A Message containing details about this condition's last transition from
// one status to another, if any.
// +optional
Message string `json:"message,omitempty"`
}
A Condition that may apply to a resource.
func Available ¶ added in v0.6.0
func Available() Condition
Available returns a condition that indicates the resource is currently observed to be available for use.
func Creating ¶ added in v0.6.0
func Creating() Condition
Creating returns a condition that indicates the resource is currently being created.
func Deleting ¶ added in v0.6.0
func Deleting() Condition
Deleting returns a condition that indicates the resource is currently being deleted.
func Pending ¶ added in v0.6.0
func Pending() Condition
Pending returns a condition that indicates the resource is currently observed to be waiting for creating.
func Unavailable ¶ added in v0.6.0
func Unavailable() Condition
Unavailable returns a condition that indicates the resource is not currently available for use. Unavailable should be set only when Crossplane expects the resource to be available but knows it is not, for example because its API reports it is unhealthy.
func Updating ¶ added in v0.6.0
func Updating() Condition
Updating returns a condition that indicates the resource is currently observed to be updating.
func (*Condition) DeepCopy ¶ added in v0.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶ added in v0.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionReason ¶ added in v0.6.0
type ConditionReason string
A ConditionReason represents the reason a resource is in a condition.
const ( ReasonAvailable ConditionReason = "Available" ReasonCreating ConditionReason = "Creating" ReasonDeleting ConditionReason = "Deleting" ReasonPending ConditionReason = "Pending" ReasonUpdating ConditionReason = "Updating" )
Reasons a resource is or is not ready.
type ConditionType ¶ added in v0.6.0
type ConditionType string
A ConditionType represents a condition a resource could be in.
const ( // TypeReady resources are believed to be ready to handle work. TypeReady ConditionType = "Ready" )
Condition types.
type ConditionedStatus ¶ added in v0.6.0
type ConditionedStatus struct {
// Conditions of the resource.
// +optional
Conditions []Condition `json:"conditions,omitempty"`
}
A ConditionedStatus reflects the observed status of a resource. Only one condition of each type may exist.
func (*ConditionedStatus) DeepCopy ¶ added in v0.6.0
func (in *ConditionedStatus) DeepCopy() *ConditionedStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionedStatus.
func (*ConditionedStatus) DeepCopyInto ¶ added in v0.6.0
func (in *ConditionedStatus) DeepCopyInto(out *ConditionedStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ConditionedStatus) Equal ¶ added in v0.6.0
func (s *ConditionedStatus) Equal(other *ConditionedStatus) bool
Equal returns true if the status is identical to the supplied status, ignoring the LastTransitionTimes and order of statuses.
func (*ConditionedStatus) GetReadyCondition ¶ added in v0.6.0
func (s *ConditionedStatus) GetReadyCondition() Condition
GetCondition returns the condition for the given ConditionType if exists, otherwise returns an unknown condition.
func (*ConditionedStatus) SetConditions ¶ added in v0.6.0
func (s *ConditionedStatus) SetConditions(c ...Condition)
SetConditions sets the supplied conditions, replacing any existing conditions of the same type. This is a no-op if all supplied conditions are identical, ignoring the last transition time, to those already set.
type SPODSpec ¶
type SPODSpec struct {
// Verbosity specifies the logging verbosity of the daemon.
Verbosity uint `json:"verbosity,omitempty"`
// EnableProfiling tells the operator whether or not to enable profiling
// support for this SPOD instance.
EnableProfiling bool `json:"enableProfiling,omitempty"`
// EnableMemoryOptimization enables memory optimization in the controller
// running inside of SPOD instance and watching for pods in the cluster.
// This will make the controller loading in the cache memory only the pods
// labelled explicitly for profile recording with 'spo.x-k8s.io/enable-recording=true'.
EnableMemoryOptimization bool `json:"enableMemoryOptimization,omitempty"`
// tells the operator whether or not to enable SELinux support for this
// SPOD instance.
EnableSelinux *bool `json:"enableSelinux,omitempty"`
// If specified, the SELinux type tag applied to the security context of SPOD.
// +optional
// +kubebuilder:default="spc_t"
SelinuxTypeTag string `json:"selinuxTypeTag,omitempty"`
// tells the operator whether or not to enable log enrichment support for this
// SPOD instance.
EnableLogEnricher bool `json:"enableLogEnricher,omitempty"`
// tells the operator whether or not to enable bpf recorder support for this
// SPOD instance.
EnableBpfRecorder bool `json:"enableBpfRecorder,omitempty"`
// tells the operator whether or not to enable AppArmor support for this
// SPOD instance.
EnableAppArmor bool `json:"enableAppArmor,omitempty"`
// If specified, the SPOD's tolerations.
// +optional
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
// Defines options specific to the SELinux
// functionality of the SecurityProfilesOperator
SelinuxOpts SelinuxOptions `json:"selinuxOptions,omitempty"`
// HostProcVolumePath is the path for specifying a custom host /proc
// volume, which is required for the log-enricher as well as bpf-recorder
// to retrieve the container ID for a process ID. This can be helpful for
// nested environments, for example when using "kind".
HostProcVolumePath string `json:"hostProcVolumePath,omitempty"`
// StaticWebhookConfig indicates whether the webhook configuration and its
// related resources are statically deployed. In this case, the operator will
// not create or update the webhook configuration and its related resources.
// +optional
StaticWebhookConfig bool `json:"staticWebhookConfig"`
// WebhookOpts set custom namespace selectors and failure mode for
// SPO's webhooks
// +optional
WebhookOpts []WebhookOptions `json:"webhookOptions,omitempty"`
// AllowedSyscalls if specified, a list of system calls which are allowed
// in seccomp profiles.
// +optional
AllowedSyscalls []string `json:"allowedSyscalls,omitempty"`
// AllowedSeccompActions if specified, a list of allowed seccomp actions.
// +optional
AllowedSeccompActions []seccomp.Action `json:"allowedSeccompActions"`
// Affinity if specified, the SPOD's affinity.
// +optional
Affinity *corev1.Affinity `json:"affinity,omitempty"`
// ImagePullSecrets if defined, list of references to secrets in the security-profiles-operator's
// namespace to use for pulling the images from SPOD pod from a private registry.
// +optional
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
// DaemonResourceRequirements if defined, overwrites the default resource requirements
// of SPOD daemon.
// +optional
DaemonResourceRequirements *corev1.ResourceRequirements `json:"daemonResourceRequirements,omitempty"`
// PriorityClassName if defined, indicates the spod pod priority class.
// +optional
// +kubebuilder:default="system-node-critical"
PriorityClassName string `json:"priorityClassName,omitempty"`
// DisableOCIArtifactSignatureVerification can be used to disable OCI
// artifact signature verification.
// +optional
DisableOCIArtifactSignatureVerification bool `json:"disableOciArtifactSignatureVerification"`
}
SPODStatus defines the desired state of SPOD.
func (*SPODSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SPODSpec.
func (*SPODSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SPODState ¶
type SPODState string
SPODState defines the state that the spod is in.
const ( // The SPOD instance is pending installation. SPODStatePending SPODState = "PENDING" // The SPOD instance is being created. SPODStateCreating SPODState = "CREATING" // The SPOD instance is being updated. SPODStateUpdating SPODState = "UPDATING" // The SPOD instance was installed successfully. SPODStateRunning SPODState = "RUNNING" // The SPOD instance couldn't be installed. SPODStateError SPODState = "ERROR" )
type SPODStatus ¶
type SPODStatus struct {
ConditionedStatus `json:",inline"`
// Represents the state that the policy is in. Can be:
// PENDING, IN-PROGRESS, RUNNING or ERROR
State SPODState `json:"state,omitempty"`
}
SPODStatus defines the observed state of SPOD.
func (*SPODStatus) DeepCopy ¶
func (in *SPODStatus) DeepCopy() *SPODStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SPODStatus.
func (*SPODStatus) DeepCopyInto ¶
func (in *SPODStatus) DeepCopyInto(out *SPODStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SPODStatus) StateCreating ¶
func (s *SPODStatus) StateCreating()
func (*SPODStatus) StatePending ¶
func (s *SPODStatus) StatePending()
func (*SPODStatus) StateRunning ¶
func (s *SPODStatus) StateRunning()
func (*SPODStatus) StateUpdating ¶
func (s *SPODStatus) StateUpdating()
type SecurityProfilesOperatorDaemon ¶
type SecurityProfilesOperatorDaemon struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec SPODSpec `json:"spec,omitempty"`
Status SPODStatus `json:"status,omitempty"`
}
SecurityProfilesOperatorDaemon is the Schema to configure the spod deployment. +kubebuilder:subresource:status +kubebuilder:resource:path=securityprofilesoperatordaemons,shortName=spod +kubebuilder:printcolumn:name="State",type="string",JSONPath=`.status.state`
func (*SecurityProfilesOperatorDaemon) DeepCopy ¶
func (in *SecurityProfilesOperatorDaemon) DeepCopy() *SecurityProfilesOperatorDaemon
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityProfilesOperatorDaemon.
func (*SecurityProfilesOperatorDaemon) DeepCopyInto ¶
func (in *SecurityProfilesOperatorDaemon) DeepCopyInto(out *SecurityProfilesOperatorDaemon)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityProfilesOperatorDaemon) DeepCopyObject ¶
func (in *SecurityProfilesOperatorDaemon) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecurityProfilesOperatorDaemonList ¶
type SecurityProfilesOperatorDaemonList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []SecurityProfilesOperatorDaemon `json:"items"`
}
SecurityProfilesOperatorDaemonList contains a list of SecurityProfilesOperatorDaemon.
func (*SecurityProfilesOperatorDaemonList) DeepCopy ¶
func (in *SecurityProfilesOperatorDaemonList) DeepCopy() *SecurityProfilesOperatorDaemonList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityProfilesOperatorDaemonList.
func (*SecurityProfilesOperatorDaemonList) DeepCopyInto ¶
func (in *SecurityProfilesOperatorDaemonList) DeepCopyInto(out *SecurityProfilesOperatorDaemonList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityProfilesOperatorDaemonList) DeepCopyObject ¶
func (in *SecurityProfilesOperatorDaemonList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SelinuxOptions ¶ added in v0.4.0
type SelinuxOptions struct {
// Lists the profiles coming from the system itself that are
// allowed to be inherited by workloads. Use this with care,
// as this might provide a lot of permissions depending on the
// policy.
// +kubebuilder:default={"container"}
AllowedSystemProfiles []string `json:"allowedSystemProfiles,omitempty"`
}
SelinuxOptions defines options specific to the SELinux functionality of the SecurityProfilesOperator.
func (*SelinuxOptions) DeepCopy ¶ added in v0.4.0
func (in *SelinuxOptions) DeepCopy() *SelinuxOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelinuxOptions.
func (*SelinuxOptions) DeepCopyInto ¶ added in v0.4.0
func (in *SelinuxOptions) DeepCopyInto(out *SelinuxOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type WebhookOptions ¶ added in v0.4.3
type WebhookOptions struct {
// Name specifies which webhook do we configure
Name string `json:"name,omitempty"`
// FailurePolicy sets the webhook failure policy
// +optional
FailurePolicy *admissionregv1.FailurePolicyType `json:"failurePolicy,omitempty"`
// NamespaceSelector sets webhook's namespace selector
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// ObjectSelector sets webhook's object selector
// +optional
ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"`
}
func (*WebhookOptions) DeepCopy ¶ added in v0.4.3
func (in *WebhookOptions) DeepCopy() *WebhookOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookOptions.
func (*WebhookOptions) DeepCopyInto ¶ added in v0.4.3
func (in *WebhookOptions) DeepCopyInto(out *WebhookOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files