github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/globalreport.go (about) 1 // Copyright (c) 2019,2021 Tigera, Inc. All rights reserved. 2 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package v3 16 17 import ( 18 corev1 "k8s.io/api/core/v1" 19 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 20 ) 21 22 const ( 23 KindGlobalReport = "GlobalReport" 24 KindGlobalReportList = "GlobalReportList" 25 ) 26 27 // +genclient 28 // +genclient:nonNamespaced 29 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 30 31 // GlobalReport contains the configuration for a non-namespaced Report. 32 type GlobalReport struct { 33 metav1.TypeMeta `json:",inline"` 34 // Standard object's metadata. 35 metav1.ObjectMeta `json:"metadata,omitempty"` 36 // Specification of the GlobalReport. 37 Spec ReportSpec `json:"spec,omitempty"` 38 Status ReportStatus `json:"status,omitempty"` 39 } 40 41 // ReportSpec contains the values of the GlobalReport. 42 type ReportSpec struct { 43 // The name of the report type. 44 ReportType string `json:"reportType" validate:"name,required"` 45 46 // Endpoints is used to specify which endpoints are in-scope and stored in the generated report data. 47 // Only used if endpoints data and/or audit logs are gathered in the report. If omitted, treated as everything 48 // in-scope. 49 Endpoints *EndpointsSelection `json:"endpoints,omitempty" validate:"omitempty,selector"` 50 51 // The report schedule specified in cron format. This specifies both the start and end times of each report, 52 // where the end time of one report becomes the start time of the next report. 53 // Separate jobs are created to generate a report, and the job generates the report data from archived audit 54 // and traffic data. To ensure this data is actually archived, the jobs to generate each report starts at a 55 // configurable time *after* the end time of the report that is being generated. The default job start delay is 56 // 30m, but is configurable through the compliance-controller environments. 57 // The cron format has minute accuracy, but only up to two values may be configured for the minute column which 58 // means you may only have at most two reports for each hour period. 59 Schedule string `json:"schedule,omitempty" validate:"omitempty"` 60 61 // The node selector used to specify which nodes the report job may be scheduled on. 62 JobNodeSelector map[string]string `json:"jobNodeSelector,omitempty" validate:"omitempty"` 63 64 // This flag tells the controller to suspend subsequent jobs for generating reports, it does not apply to already 65 // started jobs. If jobs are resumed then the controller will start creating jobs for any reports that were missed 66 // while the job was suspended. 67 Suspend *bool `json:"suspend,omitempty" validate:"omitempty"` 68 69 // This field contain all the parameters for configuring a CIS benchmark report. 70 CIS *CISBenchmarkParams `json:"cis,omitempty" validate:"omitempty"` 71 } 72 73 // CISBenchmarkParams contains the parameters for configuring a CIS benchmark report. 74 type CISBenchmarkParams struct { 75 // Specifies if the report should also show results for scored/not-scored tests. 76 IncludeUnscoredTests bool `json:"includeUnscoredTests,omitempty"` 77 78 // Configure the number of top failed tests to show up on the report. 79 NumFailedTests *int `json:"numFailedTests,omitempty" validate:"gt=0"` 80 81 // Benchmark results filters. The first matching set of filters is applied to each set of benchmark results. 82 // If there are no matching filters, the full set of benchmark results will be included in the report. 83 ResultsFilters []CISBenchmarkFilter `json:"resultsFilters,omitempty"` 84 85 // Interpretted as a percentage to indicate at what levels of passing tests a node should be considered 86 // HIGH, MED, and LOW. 87 // - If >= HighThreshold flag as high 88 // - Otherwise, if > MedThreshold flag as med 89 // - Otherwise flag as low. 90 HighThreshold *int `json:"highThreshold,omitempty" validate:"gte=0,lte=100,gtfield=MedThreshold"` 91 MedThreshold *int `json:"medThreshold,omitempty" validate:"gte=0,lte=100"` 92 } 93 94 // CISBenchmarkFilter provides filters for a set of benchmarks that match particular selection criteria. 95 type CISBenchmarkFilter struct { 96 // BenchmarkSelection specifies which benchmarks this filter applies to. If not specified, applies to all. 97 BenchmarkSelection *CISBenchmarkSelection `json:"benchmarkSelection,omitempty" validate:"omitempty"` 98 99 // Exclude is an array of test indices to exclude from the report. 100 Exclude []string `json:"exclude,omitempty"` 101 102 // Include is an array of test indices to show in the report. 103 // Is additive if IncludeUnscoredTests is true. 104 // Takes precedence over Exclude. 105 Include []string `json:"include,omitempty"` 106 } 107 108 // CISBenchmarkSelection selects a particular set of benchmarks. 109 type CISBenchmarkSelection struct { 110 // KubernetesVersion is used select nodes that are running a specific version of kubelet. The full version need not 111 // be fully specified down to the patch level, in which case the significant parts of the version are matched. 112 // e.g. "1.0" will match versions "1.0.1" and "1.0.2" 113 // If not specified, matches all versions. 114 KubernetesVersion string `json:"kubernetesVersion,omitempty"` 115 } 116 117 // ReportStatus contains the status of the automated report generation. 118 type ReportStatus struct { 119 // The configured report jobs that have completed successfully. 120 LastSuccessfulReportJobs []CompletedReportJob `json:"lastSuccessfulReportJobs,omitempty"` 121 122 // The configured report jobs that have failed. 123 LastFailedReportJobs []CompletedReportJob `json:"lastFailedReportJobs,omitempty"` 124 125 // The set of active report jobs. 126 ActiveReportJobs []ReportJob `json:"activeReportJobs,omitempty"` 127 128 // The last scheduled report job. 129 LastScheduledReportJob *ReportJob `json:"lastScheduledReportJob,omitempty"` 130 } 131 132 // ReportJob contains 133 type ReportJob struct { 134 // The start time of the report. 135 Start metav1.Time `json:"start"` 136 137 // The end time of the report. 138 End metav1.Time `json:"end"` 139 140 // A reference to the report creation job if known. 141 Job *corev1.ObjectReference `json:"job"` 142 } 143 144 // CompletedReportJob augments the ReportJob with completion details. 145 type CompletedReportJob struct { 146 ReportJob `json:",inline"` 147 148 // The time the report job completed. 149 JobCompletionTime *metav1.Time `json:"jobCompletionTime,omitempty"` 150 } 151 152 // EndpointsSelection is a set of selectors used to select the endpoints that are considered to be in-scope for the 153 // report. An empty selector is equivalent to all(). All three selectors are ANDed together. 154 type EndpointsSelection struct { 155 // Selector, selects endpoints by endpoint labels. If omitted, all endpoints are included in the report 156 // data. 157 Selector string `json:"selector,omitempty" validate:"omitempty,selector"` 158 159 // Namespace match restricts endpoint selection to those in the selected namespaces. 160 Namespaces *NamesAndLabelsMatch `json:"namespaces,omitempty" validate:"omitempty"` 161 162 // ServiceAccount match restricts endpoint selection to those in the selected service accounts. 163 ServiceAccounts *NamesAndLabelsMatch `json:"serviceAccounts,omitempty" validate:"omitempty"` 164 } 165 166 // NamesAndLabelsMatch is used to specify resource matches using both label and name selection. 167 type NamesAndLabelsMatch struct { 168 // Names is an optional field that specifies a set of resources by name. 169 Names []string `json:"names,omitempty" validate:"omitempty"` 170 171 // Selector is an optional field that selects a set of resources by label. 172 // If both Names and Selector are specified then they are AND'ed. 173 Selector string `json:"selector,omitempty" validate:"omitempty,selector"` 174 } 175 176 // +genclient:nonNamespaced 177 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 178 179 // GlobalReportList contains a list of GlobalReport resources. 180 type GlobalReportList struct { 181 metav1.TypeMeta `json:",inline"` 182 metav1.ListMeta `json:"metadata"` 183 Items []GlobalReport `json:"items"` 184 } 185 186 // NewGlobalReport creates a new (zeroed) GlobalReport struct with the TypeMetadata 187 // initialized to the current version. 188 func NewGlobalReport() *GlobalReport { 189 return &GlobalReport{ 190 TypeMeta: metav1.TypeMeta{ 191 Kind: KindGlobalReport, 192 APIVersion: GroupVersionCurrent, 193 }, 194 } 195 } 196 197 // NewGlobalReportList creates a new (zeroed) GlobalReportList struct with the TypeMetadata 198 // initialized to the current version. 199 func NewGlobalReportList() *GlobalReportList { 200 return &GlobalReportList{ 201 TypeMeta: metav1.TypeMeta{ 202 Kind: KindGlobalReportList, 203 APIVersion: GroupVersionCurrent, 204 }, 205 } 206 }