Documentation ¶
Index ¶
- Variables
- type ComplianceMap
- type CompliancePerClusterStatus
- type ComplianceState
- type ComplianceType
- type Condition
- type ConfigurationPolicy
- type ConfigurationPolicyList
- type ConfigurationPolicySpec
- type ConfigurationPolicyStatus
- type EvaluationInterval
- type MetadataComplianceType
- type NonEmptyString
- type ObjectMetadata
- type ObjectProperties
- type ObjectResource
- type ObjectTemplate
- type PruneObjectBehavior
- type RelatedObject
- type RemediationAction
- type ResourceState
- type Severity
- type Target
- type TemplateStatus
- type Validity
Constants ¶
This section is empty.
Variables ¶
var ErrIsNever = errors.New("the interval is set to never")
Functions ¶
This section is empty.
Types ¶
type ComplianceMap ¶
type ComplianceMap map[string]*CompliancePerClusterStatus
ComplianceMap map to hold CompliancePerClusterStatus objects
type CompliancePerClusterStatus ¶
type CompliancePerClusterStatus struct { AggregatePolicyStatus map[string]*ConfigurationPolicyStatus `json:"aggregatePoliciesStatus,omitempty"` ComplianceState ComplianceState `json:"compliant,omitempty"` ClusterName string `json:"clustername,omitempty"` }
CompliancePerClusterStatus contains aggregate status of other policies in cluster
type ComplianceState ¶
type ComplianceState string
ComplianceState shows the state of enforcement
const ( // Compliant is an ComplianceState Compliant ComplianceState = "Compliant" // NonCompliant is an ComplianceState NonCompliant ComplianceState = "NonCompliant" // UnknownCompliancy is an ComplianceState UnknownCompliancy ComplianceState = "UnknownCompliancy" // Terminating is a ComplianceState Terminating ComplianceState = "Terminating" )
type ComplianceType ¶
type ComplianceType string
ComplianceType describes whether we must or must not have a given resource
const ( // MustNotHave is an enforcement state to exclude a resource MustNotHave ComplianceType = "Mustnothave" // MustHave is an enforcement state to include a resource MustHave ComplianceType = "Musthave" // MustOnlyHave is an enforcement state to exclusively include a resource MustOnlyHave ComplianceType = "Mustonlyhave" )
type Condition ¶
type Condition struct { // Type of condition, e.g Complete or Failed. Type string `json:"type"` // Status of the condition, one of True, False, Unknown. Status corev1.ConditionStatus `json:"status,omitempty" protobuf:"bytes,12,rep,name=status"` // The last time the condition transitioned from one status to another. // +optional LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"` // The reason for the condition's last transition. // +optional Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"` // A human readable message indicating details about the transition. // +optional Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"` }
Condition is the base struct for representing resource conditions
type ConfigurationPolicy ¶
type ConfigurationPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec *ConfigurationPolicySpec `json:"spec,omitempty"` Status ConfigurationPolicyStatus `json:"status,omitempty"` }
ConfigurationPolicy is the Schema for the configurationpolicies API
type ConfigurationPolicyList ¶
type ConfigurationPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []ConfigurationPolicy `json:"items"` }
ConfigurationPolicyList contains a list of ConfigurationPolicy
type ConfigurationPolicySpec ¶
type ConfigurationPolicySpec struct { Severity Severity `json:"severity,omitempty"` // low, medium, high RemediationAction RemediationAction `json:"remediationAction,omitempty"` // enforce, inform // 'namespaceSelector' defines the list of namespaces to include/exclude for objects defined in // spec.objectTemplates. All selector rules are ANDed. If 'include' is not provided but // 'matchLabels' and/or 'matchExpressions' are, 'include' will behave as if ['*'] were given. If // 'matchExpressions' and 'matchLabels' are both not provided, 'include' must be provided to // retrieve namespaces. NamespaceSelector Target `json:"namespaceSelector,omitempty"` // 'object-templates' and 'object-templates-raw' are arrays of objects for the configuration // policy to check, create, modify, or delete on the cluster. 'object-templates' is an array // of objects, while 'object-templates-raw' is a string containing an array of objects in // YAML format. Only one of the two object-templates variables can be set in a given // configurationPolicy. ObjectTemplates []*ObjectTemplate `json:"object-templates,omitempty"` // 'object-templates' and 'object-templates-raw' are arrays of objects for the configuration // policy to check, create, modify, or delete on the cluster. 'object-templates' is an array // of objects, while 'object-templates-raw' is a string containing an array of objects in // YAML format. Only one of the two object-templates variables can be set in a given // configurationPolicy. ObjectTemplatesRaw string `json:"object-templates-raw,omitempty"` EvaluationInterval EvaluationInterval `json:"evaluationInterval,omitempty"` PruneObjectBehavior PruneObjectBehavior `json:"pruneObjectBehavior,omitempty"` }
ConfigurationPolicySpec defines the desired state of ConfigurationPolicy
type ConfigurationPolicyStatus ¶
type ConfigurationPolicyStatus struct { ComplianceState ComplianceState `json:"compliant,omitempty"` // Compliant/NonCompliant/UnknownCompliancy CompliancyDetails []TemplateStatus `json:"compliancyDetails,omitempty"` // reason for non-compliancy // An ISO-8601 timestamp of the last time the policy was evaluated LastEvaluated string `json:"lastEvaluated,omitempty"` // The generation of the ConfigurationPolicy object when it was last evaluated LastEvaluatedGeneration int64 `json:"lastEvaluatedGeneration,omitempty"` // List of resources processed by the policy RelatedObjects []RelatedObject `json:"relatedObjects,omitempty"` }
ConfigurationPolicyStatus defines the observed state of ConfigurationPolicy
type EvaluationInterval ¶
type EvaluationInterval struct { // The minimum elapsed time before a ConfigurationPolicy is reevaluated when in the compliant state. Set this to // "never" to disable reevaluation when in the compliant state. Compliant string `json:"compliant,omitempty"` //+kubebuilder:validation:Pattern=`^(?:(?:(?:[0-9]+(?:.[0-9])?)(?:h|m|s|(?:ms)|(?:us)|(?:ns)))|never)+$` // The minimum elapsed time before a ConfigurationPolicy is reevaluated when in the noncompliant state. Set this to // "never" to disable reevaluation when in the noncompliant state. NonCompliant string `json:"noncompliant,omitempty"` }
Configures the minimum elapsed time before a ConfigurationPolicy is reevaluated
func (EvaluationInterval) GetCompliantInterval ¶
func (e EvaluationInterval) GetCompliantInterval() (time.Duration, error)
GetCompliantInterval converts the Compliant interval to a duration. ErrIsNever is returned when the string is set to "never".
func (EvaluationInterval) GetNonCompliantInterval ¶
func (e EvaluationInterval) GetNonCompliantInterval() (time.Duration, error)
GetNonCompliantInterval converts the NonCompliant interval to a duration. ErrIsNever is returned when the string is set to "never".
type MetadataComplianceType ¶
type MetadataComplianceType string
MetadataComplianceType describes how to check compliance for the labels/annotations of a given object
type NonEmptyString ¶
type NonEmptyString string
type ObjectMetadata ¶
type ObjectMetadata struct { // Name of the referent. More info: // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names Name string `json:"name,omitempty"` // Namespace of the referent. More info: // https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ Namespace string `json:"namespace,omitempty"` }
ObjectMetadata contains the resource metadata for an object being processed by the policy
type ObjectProperties ¶
type ObjectResource ¶
type ObjectResource struct { // Kind of the referent. More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds Kind string `json:"kind,omitempty"` // API version of the referent. APIVersion string `json:"apiVersion,omitempty"` // Metadata values from the referent. Metadata ObjectMetadata `json:"metadata,omitempty"` }
ObjectResource is an object identified by the policy as a resource that needs to be validated.
type ObjectTemplate ¶
type ObjectTemplate struct { // ComplianceType specifies whether it is: musthave, mustnothave, mustonlyhave ComplianceType ComplianceType `json:"complianceType"` MetadataComplianceType MetadataComplianceType `json:"metadataComplianceType,omitempty"` // ObjectDefinition defines required fields for the object ObjectDefinition runtime.RawExtension `json:"objectDefinition,omitempty"` }
ObjectTemplate describes how an object should look
type PruneObjectBehavior ¶
type PruneObjectBehavior string
PruneObjectBehavior is used to remove objects that are managed by the policy upon policy deletion.
type RelatedObject ¶
type RelatedObject struct { // Object ObjectResource `json:"object,omitempty"` // Compliant string `json:"compliant,omitempty"` // Reason string `json:"reason,omitempty"` Properties *ObjectProperties `json:"properties,omitempty"` }
RelatedObject is the list of objects matched by this Policy resource.
type RemediationAction ¶
type RemediationAction string
RemediationAction : enforce or inform
const ( // Enforce is an remediationAction to make changes Enforce RemediationAction = "Enforce" // Inform is an remediationAction to only inform Inform RemediationAction = "Inform" )
type Target ¶
type Target struct { // 'include' is an array of filepath expressions to include objects by name. Include []NonEmptyString `json:"include,omitempty"` // 'exclude' is an array of filepath expressions to exclude objects by name. Exclude []NonEmptyString `json:"exclude,omitempty"` // 'matchLabels' is a map of {key,value} pairs matching objects by label. MatchLabels *map[string]string `json:"matchLabels,omitempty"` // 'matchExpressions' is an array of label selector requirements matching objects by label. MatchExpressions *[]metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"` }
type TemplateStatus ¶
type TemplateStatus struct { ComplianceState ComplianceState `json:"Compliant,omitempty"` // Compliant, NonCompliant, UnknownCompliancy Conditions []Condition `json:"conditions,omitempty"` Validity Validity `json:"Validity,omitempty"` // a template can be invalid if it has conflicting roles }
TemplateStatus hold the status result