OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

  • specobject

    Required value

    • spec.enforcementActionstring

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.matchobject

      Required value

      • spec.match.labelSelectorobject

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressionsarray of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.keystring

            Required value

          • spec.match.labelSelector.matchExpressions.operatorstring

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.valuesarray of strings
        • spec.match.labelSelector.matchLabelsobject

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelectorobject

        Required value

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNamesarray of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelectorobject

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.keystring

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
          • spec.match.namespaceSelector.labelSelector.matchLabelsobject

            List of labels which a namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNamesarray of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policiesobject

      Required value

      • spec.policies.allowedReposarray of strings

        The list of prefixes a container image is allowed to have.

        • Element of the arraystring

          Example:

          - registry.deckhouse.io
      • spec.policies.checkContainerDuplicatesboolean

        Check container names and env variables for duplicates.

      • spec.policies.checkHostNetworkDNSPolicyboolean

        Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

      • spec.policies.disallowedImageTagsarray of strings

        Requires container images to have an image tag different from the ones in the specified list.

        Example:

        disallowedImageTags:
- latest
      • spec.policies.imagePullPolicystring

        Required image pull policy for containers.

        Allowed values: Always, IfNotPresent

      • spec.policies.maxRevisionHistoryLimitinteger

        A maximum value for a revision history.

      • spec.policies.priorityClassNamesarray of strings

        List of allowed priority class names.

      • spec.policies.requiredLabelsobject

        A list of labels and values the object must specify.

        • spec.policies.requiredLabels.labelsarray of objects
          • spec.policies.requiredLabels.labels.allowedRegexstring

            If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredLabels.labels.keystring

            The required label.

        • spec.policies.requiredLabels.watchKindsarray of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

          • Element of the arraystring

            Pattern: ^[a-z]?/[a-zA-Z]+$

            Example:

            - apps/Deployment
- "/Pod"
- networking.k8s.io/Ingress
      • spec.policies.requiredProbesarray of strings

        The list of probes that are required (e.g. readinessProbe)

        Example:

        requiredProbes:
- livenessProbe
- readinessProbe
        • Element of the arraystring

          Allowed values: livenessProbe, readinessProbe, startupProbe

      • spec.policies.requiredResourcesobject

        Requires containers to have defined resources set.

        • spec.policies.requiredResources.limitsarray of strings

          A list of limits that should be enforced (CPU, memory, or both).

          Default: ["memory"]

          • Element of the arraystring

            Allowed values: cpu, memory

        • spec.policies.requiredResources.requestsarray of strings

          A list of requests that should be enforced (CPU, memory, or both).

          Default: ["cpu","memory"]

          • Element of the arraystring

            Allowed values: cpu, memory