OperationPolicy
Scope: Cluster
Version: v1alpha1
Describes an operation policy for a cluster.
Each CustomResource OperationPolicy
describes rules for objects in a cluster.
- specobject
Required value
- spec.enforcementActionstring
The enforcement action to control what to do with the result of the constraint.
- Deny — Deny action.
- Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
- Warn — Same as
Dryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.matchobject
Required value
- spec.match.labelSelectorobject
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressionsarray of objects
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.keystring
Required value
- spec.match.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.valuesarray of strings
- spec.match.labelSelector.matchExpressions.keystring
- spec.match.labelSelector.matchLabelsobject
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelectorobject
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNamesarray of strings
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelectorobject
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.match.namespaceSelector.labelSelector.matchLabelsobject
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelector.matchNamesarray of strings
Include only a particular set of namespaces. Supports glob pattern.
- spec.match.namespaceSelector.excludeNamesarray of strings
- spec.match.labelSelectorobject
- spec.policiesobject
Required value
- spec.policies.allowedReposarray of strings
The list of prefixes a container image is allowed to have.
- Element of the arraystring
Example:
- registry.deckhouse.io
- Element of the arraystring
- spec.policies.checkContainerDuplicatesboolean
Check container names and env variables for duplicates.
- spec.policies.checkHostNetworkDNSPolicyboolean
Check
ClusterFirstWithHostNet
dnsPolicy is set for Pods withhostNetwork: true
. - array of strings
Requires container images to have an image tag different from the ones in the specified list.
Example:
disallowedImageTags: - latest
- spec.policies.imagePullPolicystring
Required image pull policy for containers.
Allowed values:
Always
,IfNotPresent
- spec.policies.maxRevisionHistoryLimitinteger
A maximum value for a revision history.
- spec.policies.priorityClassNamesarray of strings
List of allowed priority class names.
- spec.policies.requiredLabelsobject
A list of labels and values the object must specify.
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredLabels.labels.allowedRegexstring
If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredLabels.labels.keystring
The required label.
- spec.policies.requiredLabels.labels.allowedRegexstring
- spec.policies.requiredLabels.watchKindsarray of strings
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the labels on.- Element of the arraystring
Pattern:
^[a-z]?/[a-zA-Z]+$
Example:
- apps/Deployment - "/Pod" - networking.k8s.io/Ingress
- Element of the arraystring
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredProbesarray of strings
The list of probes that are required (e.g.
readinessProbe
)Example:
requiredProbes: - livenessProbe - readinessProbe
- Element of the arraystring
Allowed values:
livenessProbe
,readinessProbe
,startupProbe
- Element of the arraystring
- spec.policies.requiredResourcesobject
Requires containers to have defined resources set.
- spec.policies.requiredResources.limitsarray of strings
A list of limits that should be enforced (CPU, memory, or both).
Default:
["memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.requestsarray of strings
A list of requests that should be enforced (CPU, memory, or both).
Default:
["cpu","memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.limitsarray of strings
- spec.policies.allowedReposarray of strings
- spec.enforcementActionstring