k8c.io/api/v3@v3.0.0-20230904060738-b0a93889c0b6/pkg/apis/kubermatic/v1/ee.constraint.go (about) 1 /* 2 Copyright 2023 The Kubermatic Kubernetes Platform contributors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1 18 19 import ( 20 "encoding/json" 21 22 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23 ) 24 25 // +genclient 26 // +kubebuilder:resource:scope=Cluster 27 // +kubebuilder:resource:categories=kkpee 28 // +kubebuilder:object:generate=true 29 // +kubebuilder:object:root=true 30 // +kubebuilder:printcolumn:JSONPath=".spec.cluster.name",name="Cluster",type="string" 31 // +kubebuilder:printcolumn:JSONPath=".metadata.creationTimestamp",name="Age",type="date" 32 33 // Constraint specifies a kubermatic wrapper for the gatekeeper constraints. 34 // 35 // Note that this resource is part of a KKP Enterprise feature and is not used in the Community Edition. 36 type Constraint struct { 37 metav1.TypeMeta `json:",inline"` 38 metav1.ObjectMeta `json:"metadata,omitempty"` 39 40 Spec ConstraintSpec `json:"spec,omitempty"` 41 } 42 43 // ConstraintSpec specifies the data for the constraint. 44 type ConstraintSpec struct { 45 // Cluster is the reference to the cluster that this Constraint belongs to. 46 Cluster ClusterReference `json:"cluster"` 47 // ConstraintType specifies the type of gatekeeper constraint that the constraint applies to 48 ConstraintType string `json:"constraintType"` 49 // Disabled is the flag for disabling OPA constraints 50 Disabled bool `json:"disabled,omitempty"` 51 // Match contains the constraint to resource matching data 52 Match ConstraintMatch `json:"match,omitempty"` 53 // Parameters specifies the parameters used by the constraint template REGO. 54 // It supports both the legacy rawJSON parameters, in which all the parameters are set in a JSON string, and regular 55 // parameters like in Gatekeeper Constraints. 56 // If rawJSON is set, during constraint syncing to the user cluster, the other parameters are ignored 57 // Example with rawJSON parameters: 58 // 59 // parameters: 60 // rawJSON: '{"labels":["gatekeeper"]}' 61 // 62 // And with regular parameters: 63 // 64 // parameters: 65 // labels: ["gatekeeper"] 66 // 67 // +kubebuilder:validation:Schemaless 68 // +kubebuilder:pruning:PreserveUnknownFields 69 Parameters ConstraintParameters `json:"parameters,omitempty"` 70 // Selector specifies the cluster selection filters 71 Selector *ConstraintSelector `json:"selector,omitempty"` 72 73 // EnforcementAction defines the action to take in response to a constraint being violated. 74 // By default, EnforcementAction is set to deny as the default behavior is to deny admission requests with any violation. 75 EnforcementAction string `json:"enforcementAction,omitempty"` 76 } 77 78 type ConstraintParameters map[string]json.RawMessage 79 80 // ConstraintSelector is the object holding the cluster selection filters. 81 type ConstraintSelector struct { 82 // Providers is a list of cloud providers to which the Constraint applies to. Empty means all providers are selected. 83 Providers []CloudProvider `json:"providers,omitempty"` 84 // LabelSelector selects the Clusters to which the Constraint applies based on their labels 85 LabelSelector metav1.LabelSelector `json:"labelSelector,omitempty"` 86 } 87 88 // ConstraintMatch contains the constraint to resource matching data. 89 type ConstraintMatch struct { 90 // Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which 91 // the constraint will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope 92 Kinds []ConstraintMatchKind `json:"kinds,omitempty"` 93 // Scope accepts *, Cluster, or Namespaced which determines if cluster-scoped and/or namesapced-scoped resources are selected. (defaults to *) 94 Scope string `json:"scope,omitempty"` 95 // Namespaces is a list of namespace names. If defined, a constraint will only apply to resources in a listed namespace. 96 Namespaces []string `json:"namespaces,omitempty"` 97 // ExcludedNamespaces is a list of namespace names. If defined, a constraint will only apply to resources not in a listed namespace. 98 ExcludedNamespaces []string `json:"excludedNamespaces,omitempty"` 99 // LabelSelector is a standard Kubernetes label selector. 100 LabelSelector metav1.LabelSelector `json:"labelSelector,omitempty"` 101 // NamespaceSelector is a standard Kubernetes namespace selector. If defined, make sure to add Namespaces to your 102 // configs.config.gatekeeper.sh object to ensure namespaces are synced into OPA 103 NamespaceSelector metav1.LabelSelector `json:"namespaceSelector,omitempty"` 104 } 105 106 // ConstraintMatchKind specifies the resource Kind(s) and APIGroup(s). 107 type ConstraintMatchKind struct { 108 // Kinds specifies the kinds of the resources 109 Kinds []string `json:"kinds,omitempty"` 110 // APIGroups specifies the APIGroups of the resources 111 APIGroups []string `json:"apiGroups,omitempty"` 112 } 113 114 // +kubebuilder:object:generate=true 115 // +kubebuilder:object:root=true 116 117 // ConstraintList specifies a list of constraints. 118 type ConstraintList struct { 119 metav1.TypeMeta `json:",inline"` 120 metav1.ListMeta `json:"metadata,omitempty"` 121 122 Items []Constraint `json:"items"` 123 }