github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/policyrecommendationscope.go (about) 1 // Copyright (c) 2022 Tigera, Inc. All rights reserved. 2 package v3 3 4 import ( 5 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 6 ) 7 8 const ( 9 KindPolicyRecommendationScope = "PolicyRecommendationScope" 10 KindPolicyRecommendationScopeList = "PolicyRecommendationScopeList" 11 ) 12 13 // +genclient 14 // +genclient:nonNamespaced 15 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 16 17 // +kubebuilder:subresource:status 18 type PolicyRecommendationScope struct { 19 metav1.TypeMeta `json:",inline"` 20 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 21 22 Spec PolicyRecommendationScopeSpec `json:"spec,omitempty"` 23 Status PolicyRecommendationScopeStatus `json:"status,omitempty"` 24 } 25 26 type PolicyRecommendationScopeSpec struct { 27 // How frequently to run the recommendation engine to create and refine recommended policies. 28 // [Default: 150s] 29 // +optional 30 Interval *metav1.Duration `json:"interval,omitempty"` 31 32 // How far back to look in flow logs when first creating a recommended policy. 33 // [Default: 24h] 34 // +optional 35 InitialLookback *metav1.Duration `json:"initialLookback,omitempty"` 36 37 // StabilizationPeriod is the amount of time a recommended policy should remain unchanged to be 38 // deemed stable and ready to be enforced. 39 // [Default: 10m] 40 // +optional 41 StabilizationPeriod *metav1.Duration `json:"stabilizationPeriod,omitempty"` 42 43 // The maximum number of rules that are permitted in the ingress or egress set. For egress rules, 44 // any egress domain rules will be simplified by contracting all domains into a single egress 45 // domain NetworkSet. If the number of rules exceeds this limit, the recommendation engine will 46 // treat this as an error condition. 47 // [Default: 20] 48 // +optional 49 MaxRules *int `json:"maxRules,omitempty"` 50 51 // The number of staged policies that are actively learning at any one time, after which the 52 // policy recommendation engine will stop adding new recommendations. 53 // [Default: 20] 54 // +optional 55 PoliciesLearningCutOff *int `json:"policiesLearningCutOff,omitempty"` 56 57 // The namespace spec contains the namespace relative recommendation vars. 58 NamespaceSpec PolicyRecommendationScopeNamespaceSpec `json:"namespaceSpec,omitempty"` 59 } 60 61 type PolicyRecommendationScopeStatus struct { 62 Conditions []PolicyRecommendationScopeStatusCondition `json:"conditions,omitempty"` 63 } 64 65 type PolicyRecommendationScopeStatusType string 66 type PolicyRecommendationScopeStatusValue string 67 68 // Condition contains various status information 69 type PolicyRecommendationScopeStatusCondition struct { 70 Message string `json:"message,omitempty"` 71 Reason string `json:"reason,omitempty"` 72 Status PolicyRecommendationScopeStatusValue `json:"status"` 73 Type PolicyRecommendationScopeStatusType `json:"type"` 74 } 75 76 // PolicyRecommendationScopeNamespaceSpec contains namespace information that defines the namespace based 77 // recommended policy. 78 type PolicyRecommendationScopeNamespaceSpec struct { 79 // Pass intra-namespace traffic. 80 // [Default: false] 81 // +optional 82 IntraNamespacePassThroughTraffic bool `json:"intraNamespacePassThroughTraffic,omitempty"` 83 // Recommendation status. One of Enabled, Disabled. 84 RecStatus PolicyRecommendationNamespaceStatus `json:"recStatus,omitempty" validate:"omitempty,policyrecstatus"` 85 // The namespace selector is an expression used to pick out the namespaces that the policy 86 // recommendation engine should create policies for. The syntax is the same as the 87 // NetworkPolicy.projectcalico.org resource selectors. 88 Selector string `json:"selector" validate:"selector"` 89 // The name of the policy recommendation tier for namespace-isolated policies. 90 // [Default: "namespace-isolation"] 91 // +optional 92 TierName string `json:"tierName,omitempty" validate:"omitempty,name"` 93 } 94 95 type PolicyRecommendationNamespaceStatus string 96 97 const ( 98 PolicyRecommendationScopeEnabled PolicyRecommendationNamespaceStatus = "Enabled" 99 PolicyRecommendationScopeDisabled PolicyRecommendationNamespaceStatus = "Disabled" 100 ) 101 102 // +genclient:nonNamespaced 103 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 104 105 // PolicyRecommendationList contains a list of Monitor 106 type PolicyRecommendationScopeList struct { 107 metav1.TypeMeta `json:",inline"` 108 metav1.ListMeta `json:"metadata,omitempty"` 109 Items []PolicyRecommendationScope `json:"items"` 110 } 111 112 // NewPolicyRecommendationScope creates a new (zeroed) PolicyRecommendationScope struct. 113 // TypeMetadata initialized to the current version. 114 func NewPolicyRecommendationScope() *PolicyRecommendationScope { 115 return &PolicyRecommendationScope{ 116 TypeMeta: metav1.TypeMeta{ 117 Kind: KindPolicyRecommendationScope, 118 APIVersion: GroupVersionCurrent, 119 }, 120 } 121 } 122 123 // NewPolicyRecommendationScopeList creates a new (zeroed) PolicyRecommendationScopeList struct with the 124 // TypeMetadata initialized to the current version. 125 func NewPolicyRecommendationScopeList() *PolicyRecommendationScopeList { 126 return &PolicyRecommendationScopeList{ 127 TypeMeta: metav1.TypeMeta{ 128 Kind: KindPolicyRecommendationScopeList, 129 APIVersion: GroupVersionCurrent, 130 }, 131 } 132 }