configurationpolicy

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 25, 2023 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrIsNever = errors.New("the interval is set to never")

Functions

This section is empty.

Types

type ComplianceMap 

type ComplianceMap map[string]*CompliancePerClusterStatus

ComplianceMap map to hold CompliancePerClusterStatus objects

type CompliancePerClusterStatus 

type CompliancePerClusterStatus struct {
	AggregatePolicyStatus map[string]*ConfigurationPolicyStatus `json:"aggregatePoliciesStatus,omitempty"`
	ComplianceState       ComplianceState                       `json:"compliant,omitempty"`
	ClusterName           string                                `json:"clustername,omitempty"`
}

CompliancePerClusterStatus contains aggregate status of other policies in cluster

type ComplianceState 

type ComplianceState string

ComplianceState shows the state of enforcement 

const (
	// Compliant is an ComplianceState
	Compliant ComplianceState = "Compliant"

	// NonCompliant is an ComplianceState
	NonCompliant ComplianceState = "NonCompliant"

	// UnknownCompliancy is an ComplianceState
	UnknownCompliancy ComplianceState = "UnknownCompliancy"

	// Terminating is a ComplianceState
	Terminating ComplianceState = "Terminating"
)

type ComplianceType 

type ComplianceType string

ComplianceType describes whether we must or must not have a given resource 

const (
	// MustNotHave is an enforcement state to exclude a resource
	MustNotHave ComplianceType = "Mustnothave"

	// MustHave is an enforcement state to include a resource
	MustHave ComplianceType = "Musthave"

	// MustOnlyHave is an enforcement state to exclusively include a resource
	MustOnlyHave ComplianceType = "Mustonlyhave"
)

type Condition 

type Condition struct {
	// Type of condition, e.g Complete or Failed.
	Type string `json:"type"`
	// Status of the condition, one of True, False, Unknown.
	Status corev1.ConditionStatus `json:"status,omitempty" protobuf:"bytes,12,rep,name=status"`
	// The last time the condition transitioned from one status to another.
	// +optional
	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
	// The reason for the condition's last transition.
	// +optional
	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
	// A human readable message indicating details about the transition.
	// +optional
	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
}

Condition is the base struct for representing resource conditions

type ConfigurationPolicy 

type ConfigurationPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   *ConfigurationPolicySpec  `json:"spec,omitempty"`
	Status ConfigurationPolicyStatus `json:"status,omitempty"`
}

ConfigurationPolicy is the Schema for the configurationpolicies API

type ConfigurationPolicyList 

type ConfigurationPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ConfigurationPolicy `json:"items"`
}

ConfigurationPolicyList contains a list of ConfigurationPolicy

type ConfigurationPolicySpec 

type ConfigurationPolicySpec struct {
	Severity          Severity          `json:"severity,omitempty"`          // low, medium, high
	RemediationAction RemediationAction `json:"remediationAction,omitempty"` // enforce, inform
	// 'namespaceSelector' defines the list of namespaces to include/exclude for objects defined in
	// spec.objectTemplates. All selector rules are ANDed. If 'include' is not provided but
	// 'matchLabels' and/or 'matchExpressions' are, 'include' will behave as if ['*'] were given. If
	// 'matchExpressions' and 'matchLabels' are both not provided, 'include' must be provided to
	// retrieve namespaces.
	NamespaceSelector Target `json:"namespaceSelector,omitempty"`
	// 'object-templates' and 'object-templates-raw' are arrays of objects for the configuration
	// policy to check, create, modify, or delete on the cluster. 'object-templates' is an array
	// of objects, while 'object-templates-raw' is a string containing an array of objects in
	// YAML format. Only one of the two object-templates variables can be set in a given
	// configurationPolicy.
	ObjectTemplates []*ObjectTemplate `json:"object-templates,omitempty"`
	// 'object-templates' and 'object-templates-raw' are arrays of objects for the configuration
	// policy to check, create, modify, or delete on the cluster. 'object-templates' is an array
	// of objects, while 'object-templates-raw' is a string containing an array of objects in
	// YAML format. Only one of the two object-templates variables can be set in a given
	// configurationPolicy.
	ObjectTemplatesRaw  string              `json:"object-templates-raw,omitempty"`
	EvaluationInterval  EvaluationInterval  `json:"evaluationInterval,omitempty"`
	PruneObjectBehavior PruneObjectBehavior `json:"pruneObjectBehavior,omitempty"`
}

ConfigurationPolicySpec defines the desired state of ConfigurationPolicy

type ConfigurationPolicyStatus 

type ConfigurationPolicyStatus struct {
	ComplianceState   ComplianceState  `json:"compliant,omitempty"`         // Compliant/NonCompliant/UnknownCompliancy
	CompliancyDetails []TemplateStatus `json:"compliancyDetails,omitempty"` // reason for non-compliancy
	// An ISO-8601 timestamp of the last time the policy was evaluated
	LastEvaluated string `json:"lastEvaluated,omitempty"`
	// The generation of the ConfigurationPolicy object when it was last evaluated
	LastEvaluatedGeneration int64 `json:"lastEvaluatedGeneration,omitempty"`
	// List of resources processed by the policy
	RelatedObjects []RelatedObject `json:"relatedObjects,omitempty"`
}

ConfigurationPolicyStatus defines the observed state of ConfigurationPolicy

type EvaluationInterval 

type EvaluationInterval struct {
	// The minimum elapsed time before a ConfigurationPolicy is reevaluated when in the compliant state. Set this to
	// "never" to disable reevaluation when in the compliant state.
	Compliant string `json:"compliant,omitempty"`
	//+kubebuilder:validation:Pattern=`^(?:(?:(?:[0-9]+(?:.[0-9])?)(?:h|m|s|(?:ms)|(?:us)|(?:ns)))|never)+$`
	// The minimum elapsed time before a ConfigurationPolicy is reevaluated when in the noncompliant state. Set this to
	// "never" to disable reevaluation when in the noncompliant state.
	NonCompliant string `json:"noncompliant,omitempty"`
}

Configures the minimum elapsed time before a ConfigurationPolicy is reevaluated

func (EvaluationInterval) GetCompliantInterval 

func (e EvaluationInterval) GetCompliantInterval() (time.Duration, error)

GetCompliantInterval converts the Compliant interval to a duration. ErrIsNever is returned when the string is set to "never".

func (EvaluationInterval) GetNonCompliantInterval 

func (e EvaluationInterval) GetNonCompliantInterval() (time.Duration, error)

GetNonCompliantInterval converts the NonCompliant interval to a duration. ErrIsNever is returned when the string is set to "never".

type MetadataComplianceType 

type MetadataComplianceType string

MetadataComplianceType describes how to check compliance for the labels/annotations of a given object

type NonEmptyString 

type NonEmptyString string

type ObjectMetadata 

type ObjectMetadata struct {
	// Name of the referent. More info:
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
	Name string `json:"name,omitempty"`
	// Namespace of the referent. More info:
	// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
	Namespace string `json:"namespace,omitempty"`
}

ObjectMetadata contains the resource metadata for an object being processed by the policy

type ObjectProperties 

type ObjectProperties struct {
	// Whether the object was created by the parent policy
	CreatedByPolicy *bool `json:"createdByPolicy,omitempty"`
	// Store object UID to help track object ownership for deletion
	UID string `json:"uid,omitempty"`
}

type ObjectResource 

type ObjectResource struct {
	// Kind of the referent. More info:
	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
	Kind string `json:"kind,omitempty"`
	// API version of the referent.
	APIVersion string `json:"apiVersion,omitempty"`
	// Metadata values from the referent.
	Metadata ObjectMetadata `json:"metadata,omitempty"`
}

ObjectResource is an object identified by the policy as a resource that needs to be validated.

type ObjectTemplate 

type ObjectTemplate struct {
	// ComplianceType specifies whether it is: musthave, mustnothave, mustonlyhave
	ComplianceType ComplianceType `json:"complianceType"`

	MetadataComplianceType MetadataComplianceType `json:"metadataComplianceType,omitempty"`

	// ObjectDefinition defines required fields for the object
	ObjectDefinition runtime.RawExtension `json:"objectDefinition,omitempty"`
}

ObjectTemplate describes how an object should look

type PruneObjectBehavior 

type PruneObjectBehavior string

PruneObjectBehavior is used to remove objects that are managed by the policy upon policy deletion.

type RelatedObject 

type RelatedObject struct {
	//
	Object ObjectResource `json:"object,omitempty"`
	//
	Compliant string `json:"compliant,omitempty"`
	//
	Reason     string            `json:"reason,omitempty"`
	Properties *ObjectProperties `json:"properties,omitempty"`
}

RelatedObject is the list of objects matched by this Policy resource.

type RemediationAction 

type RemediationAction string

RemediationAction : enforce or inform 

const (
	// Enforce is an remediationAction to make changes
	Enforce RemediationAction = "Enforce"

	// Inform is an remediationAction to only inform
	Inform RemediationAction = "Inform"
)

type ResourceState 

type ResourceState string

ResourceState genric description of a state

type Severity 

type Severity string

Severity : low, medium, high, or critical

type Target 

type Target struct {
	// 'include' is an array of filepath expressions to include objects by name.
	Include []NonEmptyString `json:"include,omitempty"`
	// 'exclude' is an array of filepath expressions to exclude objects by name.
	Exclude []NonEmptyString `json:"exclude,omitempty"`
	// 'matchLabels' is a map of {key,value} pairs matching objects by label.
	MatchLabels *map[string]string `json:"matchLabels,omitempty"`
	// 'matchExpressions' is an array of label selector requirements matching objects by label.
	MatchExpressions *[]metav1.LabelSelectorRequirement `json:"matchExpressions,omitempty"`
}

func (Target) String 

func (t Target) String() string

Define String() so that the LabelSelector is dereferenced in the logs

type TemplateStatus 

type TemplateStatus struct {
	ComplianceState ComplianceState `json:"Compliant,omitempty"` // Compliant, NonCompliant, UnknownCompliancy
	Conditions      []Condition     `json:"conditions,omitempty"`

	Validity Validity `json:"Validity,omitempty"` // a template can be invalid if it has conflicting roles
}

TemplateStatus hold the status result

type Validity 

type Validity struct {
	Valid  *bool  `json:"valid,omitempty"`
	Reason string `json:"reason,omitempty"`
}

Validity describes if it is valid or not

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.