Documentation
¶
Overview ¶
Package v1beta1 contains types which are useful or necessary for implementing a policy "template" which will interact with the ocm-io policy framework addon. The types here are meant to be embedded in a CRD, allowing utilities (defined elsewhere) to work with all templates more generally.
Code here can be changed over time, but the intent is to do so in a backwards-compatible way, and not remove things without a deprecation notice. Code here is meant to be usable by templates, even before it graduates to `v1`; based on historical trends, many types may begin here, but should try to advance to something more stable once they've proven their worth.
Package v1beta1 contains API Schema definitions for the policy v1beta1 API group
Index ¶
- type ComplianceState
- type NamespaceSelector
- type NonEmptyString
- type PolicyCore
- type PolicyCoreSpec
- type PolicyCoreStatus
- type PolicyLike
- type RemediationAction
- type ResourceList
- type Severity
- type Target
- func (in *Target) DeepCopy() *Target
- func (in *Target) DeepCopyInto(out *Target)
- func (t Target) GetMatches(ctx context.Context, r client.Reader, list ResourceList) ([]client.Object, error)
- func (t Target) GetMatchesDynamic(ctx context.Context, iface dynamic.ResourceInterface) ([]*unstructured.Unstructured, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ComplianceState ¶
type ComplianceState string
const ( // Compliant indicates that the policy controller determined there were no // violations to the policy in the cluster. Compliant ComplianceState = "Compliant" // NonCompliant indicates that the policy controller found an issue in the // cluster that is considered a violation. NonCompliant ComplianceState = "NonCompliant" // UnknownCompliancy indicates that the policy controller could not determine // if the cluster has any violations or not. UnknownCompliancy ComplianceState = "UnknownCompliancy" )
type NamespaceSelector ¶
type NamespaceSelector struct {
*metav1.LabelSelector `json:",inline"`
// Include is a list of filepath expressions for namespaces the policy should apply to.
Include []NonEmptyString `json:"include,omitempty"`
// Exclude is a list of filepath expressions for namespaces the policy should _not_ apply to.
Exclude []NonEmptyString `json:"exclude,omitempty"`
}
func (*NamespaceSelector) DeepCopy ¶
func (in *NamespaceSelector) DeepCopy() *NamespaceSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSelector.
func (*NamespaceSelector) DeepCopyInto ¶
func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (NamespaceSelector) GetNamespaces ¶
GetNamespaces fetches all namespaces in the cluster and returns a list of the namespaces that match the NamespaceSelector. The client.Reader needs access for viewing namespaces, like the access given by this kubebuilder tag: `//+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch`
NOTE: unlike Target, an empty NamespaceSelector will match zero namespaces.
func (NamespaceSelector) MarshalJSON ¶
func (sel NamespaceSelector) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON encoding of the NamespaceSelector. The LabelSelector's matchLabels and matchExpressions will only be omitted from the encoding if the LabelSelector is nil; if either of them have been set but are empty, then they will be included in this JSON encoding.
type NonEmptyString ¶
type NonEmptyString string
type PolicyCore ¶
type PolicyCore struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PolicyCoreSpec `json:"spec,omitempty"`
Status PolicyCoreStatus `json:"status,omitempty"`
}
PolicyCore is the Schema for the policycores API. This is not a real API, but is included so that an example CRD can be generated showing the validated fields and types.
func (*PolicyCore) DeepCopy ¶
func (in *PolicyCore) DeepCopy() *PolicyCore
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyCore.
func (*PolicyCore) DeepCopyInto ¶
func (in *PolicyCore) DeepCopyInto(out *PolicyCore)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyCore) DeepCopyObject ¶
func (in *PolicyCore) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyCoreSpec ¶
type PolicyCoreSpec struct {
// Severity defines how serious the situation is when the policy is not
// compliant. The severity might not change the behavior of the policy, but
// may be read and used by other tools. Accepted values include: low,
// medium, high, and critical.
Severity Severity `json:"severity,omitempty"`
// RemediationAction indicates what the policy controller should do when the
// policy is not compliant. Accepted values include inform, and enforce.
// Note that not all policy controllers will attempt to automatically
// remediate a policy, even when set to "enforce".
RemediationAction RemediationAction `json:"remediationAction,omitempty"`
// NamespaceSelector indicates which namespaces on the cluster this policy
// should apply to, when the policy applies to namespaced objects.
NamespaceSelector NamespaceSelector `json:"namespaceSelector,omitempty"`
}
PolicyCoreSpec defines fields that policies should implement to be part of the Open Cluster Management policy framework. The intention is for controllers to embed this struct in their *Spec definitions.
func (*PolicyCoreSpec) DeepCopy ¶
func (in *PolicyCoreSpec) DeepCopy() *PolicyCoreSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyCoreSpec.
func (*PolicyCoreSpec) DeepCopyInto ¶
func (in *PolicyCoreSpec) DeepCopyInto(out *PolicyCoreSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyCoreStatus ¶
type PolicyCoreStatus struct {
// ComplianceState indicates whether the policy is compliant or not.
// Accepted values include: Compliant, NonCompliant, and UnknownCompliancy
ComplianceState ComplianceState `json:"compliant,omitempty"`
// Conditions represent the latest available observations of the object's status. One of these
// items should have Type=Compliant and a message detailing the current compliance.
Conditions []metav1.Condition `json:"conditions,omitempty"`
}
PolicyCoreStatus defines fields that policies should implement as part of the Open Cluster Management policy framework. The intent is for controllers to embed this struct in their *Status definitions.
func (*PolicyCoreStatus) DeepCopy ¶
func (in *PolicyCoreStatus) DeepCopy() *PolicyCoreStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyCoreStatus.
func (*PolicyCoreStatus) DeepCopyInto ¶
func (in *PolicyCoreStatus) DeepCopyInto(out *PolicyCoreStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (PolicyCoreStatus) GetCondition ¶
func (status PolicyCoreStatus) GetCondition(condType string) (int, metav1.Condition)
GetCondition returns the existing index and condition on the status matching the given type. If no condition of that type is found, it will return -1 as the index.
func (*PolicyCoreStatus) UpdateCondition ¶
func (status *PolicyCoreStatus) UpdateCondition(newCond metav1.Condition) (changed bool)
UpdateCondition modifies the specified condition in the status or adds it if not present, ensuring conditions remain sorted by Type. Returns true if the condition was updated or added.
type PolicyLike ¶
type PolicyLike interface {
client.Object
// The ComplianceState (Compliant/NonCompliant) of the specific policy.
ComplianceState() ComplianceState
// A human-readable string describing the current state of the policy, and why it is either
// Compliant or NonCompliant.
ComplianceMessage() string
// The "parent" object on this cluster for the specific policy. Generally a Policy, in the API
// GroupVersion `policy.open-cluster-management.io/v1`. For namespaced kinds of policies, this
// will usually be the owner of the policy. For cluster-scoped policies, this must be stored
// some other way.
Parent() metav1.OwnerReference
// The namespace of the "parent" object.
ParentNamespace() string
}
PolicyLike is an interface that policies should implement so that they can benefit from some of the general tools in the nucleus. Here is a simple example implementation, which utilizes the core types of the nucleus:
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
import nucleusv1beta1 "open-cluster-management.io/governance-policy-nucleus/api/v1beta1"
type FakePolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec nucleusv1beta1.PolicyCoreSpec `json:"spec,omitempty"`
Status nucleusv1beta1.PolicyCoreStatus `json:"status,omitempty"`
}
func (f FakePolicy) ComplianceState() nucleusv1beta1.ComplianceState {
return f.Status.ComplianceState
}
func (f FakePolicy) ComplianceMessage() string {
idx, compCond := f.Status.GetCondition("Compliant")
if idx == -1 {
return ""
}
return compCond.Message
}
func (f FakePolicy) Parent() metav1.OwnerReference {
if len(f.OwnerReferences) == 0 {
return metav1.OwnerReference{}
}
return f.OwnerReferences[0]
}
func (f FakePolicy) ParentNamespace() string {
return f.Namespace
}
type RemediationAction ¶
type RemediationAction string
func (RemediationAction) IsEnforce ¶
func (ra RemediationAction) IsEnforce() bool
IsEnforce is true when the policy controller can attempt to enforce the policy by remediating it automatically. Note that not all controllers will support automatic enforcement.
func (RemediationAction) IsInform ¶
func (ra RemediationAction) IsInform() bool
IsInform is true when the policy controller should only report whether the policy is compliant or not and should not perform any actions to attempt remediation.
type ResourceList ¶
type ResourceList interface {
ObjectList() client.ObjectList
Items() ([]client.Object, error)
}
ResourceList is meant to wrap a concrete implementation of a client.ObjectList, giving access to the items in the list. The methods should be implemented on pointer types. For example, an implementation of this interface for ConfigMaps might look like:
import corev1 "k8s.io/api/core/v1"
import "sigs.k8s.io/controller-runtime/pkg/client"
type configMapResList struct {
corev1.ConfigMapList
}
func (l *configMapResList) Items() ([]client.Object, error) {
items := make([]client.Object, len(l.ConfigMapList.Items))
for i := range l.ConfigMapList.Items {
items[i] = &l.ConfigMapList.Items[i]
}
return items, nil
}
func (l *configMapResList) ObjectList() client.ObjectList {
return &l.ConfigMapList
}
type Target ¶
type Target struct {
*metav1.LabelSelector `json:",inline"`
// Namespace is the namespace to restrict the Target to. Can be empty for non-namespaced
// objects, or to look in all namespaces.
Namespace string `json:"namespace,omitempty"`
// Include is a list of filepath expressions to include objects by name.
Include []NonEmptyString `json:"include,omitempty"`
// Exclude is a list of filepath expressions to include objects by name.
Exclude []NonEmptyString `json:"exclude,omitempty"`
}
func (*Target) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Target.
func (*Target) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (Target) GetMatches ¶
func (t Target) GetMatches(ctx context.Context, r client.Reader, list ResourceList) ([]client.Object, error)
GetMatches returns a list of resources on the cluster, matched by the Target. The provided ResourceList should be backed by a client.ObjectList type which must registered in the scheme of the client.Reader. The items in the provided ResourceList after this method is called will not necessarily equal the items matched by the Target. The items returned here will be in relatively the same order as they were in the list returned by the API.
This method should be used preferentially to `GetMatchesDynamic` because it can leverage the Reader's cache.
NOTE: unlike the NamespaceSelector, an empty Target will match *all* resources on the cluster.
func (Target) GetMatchesDynamic ¶
func (t Target) GetMatchesDynamic( ctx context.Context, iface dynamic.ResourceInterface, ) ([]*unstructured.Unstructured, error)
GetMatchesDynamic returns a list of resources on the cluster, matched by the Target. The kind of the resources is configured by the provided dynamic.ResourceInterface. If the Target specifies a namespace, this method will limit the namespace of the provided Interface if possible. If the provided Interface is already namespaced, the namespace of the Interface will be used (possibly overriding the namespace specified in the Target). The items returned here will be in relatively the same order as they were in the list returned by the API.
NOTE: unlike the NamespaceSelector, an empty Target will match *all* resources on the cluster.
Source Files