open-cluster-management.io/governance-policy-propagator@v0.13.0/api/v1/policy_types.go

open-cluster-management.io/governance-policy-propagator@v0.13.0/api/v1/policy_types.go (about)

     1  // Copyright (c) 2020 Red Hat, Inc.
     2  // Copyright Contributors to the Open Cluster Management project
     3  
     4  package v1
     5  
     6  import (
     7  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
     8  	runtime "k8s.io/apimachinery/pkg/runtime"
     9  )
    10  
    11  // RemediationAction describes weather to enforce or inform
    12  // +kubebuilder:validation:Enum=Inform;inform;Enforce;enforce
    13  type RemediationAction string
    14  
    15  const (
    16  	// Enforce is an remediationAction to make changes
    17  	Enforce RemediationAction = "Enforce"
    18  
    19  	// Inform is an remediationAction to only inform
    20  	Inform RemediationAction = "Inform"
    21  )
    22  
    23  // PolicyTemplate template for custom security policy
    24  type PolicyTemplate struct {
    25  	// +kubebuilder:pruning:PreserveUnknownFields
    26  	// A Kubernetes object defining the policy to apply to a managed cluster
    27  	ObjectDefinition runtime.RawExtension `json:"objectDefinition"`
    28  
    29  	// Additional PolicyDependencies that only apply to this template
    30  	ExtraDependencies []PolicyDependency `json:"extraDependencies,omitempty"`
    31  
    32  	// Ignore this template's Pending status when calculating the overall Policy status
    33  	IgnorePending bool `json:"ignorePending,omitempty"`
    34  }
    35  
    36  // ComplianceState shows the state of enforcement
    37  type ComplianceState string
    38  
    39  const (
    40  	// Compliant is a ComplianceState
    41  	Compliant ComplianceState = "Compliant"
    42  
    43  	// NonCompliant is a ComplianceState
    44  	NonCompliant ComplianceState = "NonCompliant"
    45  
    46  	// Pending is a ComplianceState
    47  	Pending ComplianceState = "Pending"
    48  )
    49  
    50  // Each PolicyDependency defines an object reference which must be in a certain compliance
    51  // state before the policy should be created.
    52  type PolicyDependency struct {
    53  	metav1.TypeMeta `json:",inline"`
    54  
    55  	// The name of the object to be checked
    56  	Name string `json:"name"`
    57  
    58  	// The namespace of the object to be checked (optional)
    59  	Namespace string `json:"namespace,omitempty"`
    60  
    61  	// The ComplianceState (at path .status.compliant) required before the policy should be created
    62  	// +kubebuilder:validation:Enum=Compliant;Pending;NonCompliant
    63  	Compliance ComplianceState `json:"compliance"`
    64  }
    65  
    66  // PolicySpec defines the desired state of Policy
    67  type PolicySpec struct {
    68  	// This provides the ability to enable and disable your policies.
    69  	Disabled bool `json:"disabled"`
    70  
    71  	// If set to true (default), all the policy's labels and annotations will be copied to the replicated policy.
    72  	// If set to false, only the policy framework specific policy labels and annotations will be copied to the
    73  	// replicated policy.
    74  	// +kubebuilder:validation:Optional
    75  	CopyPolicyMetadata *bool `json:"copyPolicyMetadata,omitempty"`
    76  
    77  	// This value (Enforce or Inform) will override the remediationAction on each template
    78  	RemediationAction RemediationAction `json:"remediationAction,omitempty"`
    79  
    80  	// Used to create one or more policies to apply to a managed cluster
    81  	PolicyTemplates []*PolicyTemplate `json:"policy-templates"`
    82  
    83  	// PolicyDependencies that apply to each template in this Policy
    84  	Dependencies []PolicyDependency `json:"dependencies,omitempty"`
    85  }
    86  
    87  // PlacementDecision defines the decision made by controller
    88  type PlacementDecision struct {
    89  	ClusterName      string `json:"clusterName,omitempty"`
    90  	ClusterNamespace string `json:"clusterNamespace,omitempty"`
    91  }
    92  
    93  // Placement defines the placement results
    94  type Placement struct {
    95  	PlacementBinding string              `json:"placementBinding,omitempty"`
    96  	PlacementRule    string              `json:"placementRule,omitempty"`
    97  	Placement        string              `json:"placement,omitempty"`
    98  	Decisions        []PlacementDecision `json:"decisions,omitempty"`
    99  	PolicySet        string              `json:"policySet,omitempty"`
   100  }
   101  
   102  // CompliancePerClusterStatus defines compliance per cluster status
   103  type CompliancePerClusterStatus struct {
   104  	ComplianceState  ComplianceState `json:"compliant,omitempty"`
   105  	ClusterName      string          `json:"clustername,omitempty"`
   106  	ClusterNamespace string          `json:"clusternamespace,omitempty"`
   107  }
   108  
   109  // DetailsPerTemplate defines compliance details and history
   110  type DetailsPerTemplate struct {
   111  	// +kubebuilder:pruning:PreserveUnknownFields
   112  	TemplateMeta    metav1.ObjectMeta   `json:"templateMeta,omitempty"`
   113  	ComplianceState ComplianceState     `json:"compliant,omitempty"`
   114  	History         []ComplianceHistory `json:"history,omitempty"`
   115  }
   116  
   117  // ComplianceHistory defines compliance details history
   118  type ComplianceHistory struct {
   119  	LastTimestamp metav1.Time `json:"lastTimestamp,omitempty" protobuf:"bytes,7,opt,name=lastTimestamp"`
   120  	Message       string      `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
   121  	EventName     string      `json:"eventName,omitempty"`
   122  }
   123  
   124  // PolicyStatus defines the observed state of Policy
   125  type PolicyStatus struct {
   126  	Placement []*Placement                  `json:"placement,omitempty"` // used by root policy
   127  	Status    []*CompliancePerClusterStatus `json:"status,omitempty"`    // used by root policy
   128  
   129  	// +kubebuilder:validation:Enum=Compliant;Pending;NonCompliant
   130  	ComplianceState ComplianceState       `json:"compliant,omitempty"` // used by replicated policy
   131  	Details         []*DetailsPerTemplate `json:"details,omitempty"`   // used by replicated policy
   132  }
   133  
   134  //+kubebuilder:object:root=true
   135  
   136  // Policy is the Schema for the policies API
   137  // +kubebuilder:subresource:status
   138  // +kubebuilder:resource:path=policies,scope=Namespaced
   139  // +kubebuilder:resource:path=policies,shortName=plc
   140  // +kubebuilder:printcolumn:name="Remediation action",type="string",JSONPath=".spec.remediationAction"
   141  // +kubebuilder:printcolumn:name="Compliance state",type="string",JSONPath=".status.compliant"
   142  // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
   143  type Policy struct {
   144  	metav1.TypeMeta   `json:",inline"`
   145  	metav1.ObjectMeta `json:"metadata"`
   146  
   147  	Spec   PolicySpec   `json:"spec"`
   148  	Status PolicyStatus `json:"status,omitempty"`
   149  }
   150  
   151  //+kubebuilder:object:root=true
   152  
   153  // PolicyList contains a list of Policy
   154  type PolicyList struct {
   155  	metav1.TypeMeta `json:",inline"`
   156  	metav1.ListMeta `json:"metadata,omitempty"`
   157  	Items           []Policy `json:"items"`
   158  }
   159  
   160  func init() {
   161  	SchemeBuilder.Register(&Policy{}, &PolicyList{})
   162  }