OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
          - key: tier
            operator: In
            values:
            - production
            - staging
          
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          List of labels which Pod should have.

          Example:

          matchLabels:
            foo: bar
            baz: who
          
      • spec.match.namespaceSelector
        object

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
            - key: tier
              operator: In
              values:
              - production
              - staging
            
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            List of labels which a namespace should have.

            Example:

            matchLabels:
              foo: bar
              baz: who
            
        • spec.match.namespaceSelector.matchNames
          array of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      • spec.policies.allowedRepos
        array of strings

        The list of prefixes a container image is allowed to have.

        • Element of the array
          string

          Example:

          registry.deckhouse.io
          
      • spec.policies.checkContainerDuplicates
        boolean

        Check container names and env variables for duplicates.

      • spec.policies.checkHostNetworkDNSPolicy
        boolean

        Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

      • spec.policies.disallowedImageTags
        array of strings

        Requires container images to have an image tag different from the ones in the specified list.

        Example:

        disallowedImageTags: latest
        
      • spec.policies.imagePullPolicy
        string

        Required image pull policy for containers.

        Allowed values: Always, IfNotPresent

      • spec.policies.ingressClassNames
        array of strings

        List of allowed ingress class names.

      • spec.policies.maxRevisionHistoryLimit
        integer

        A maximum value for a revision history.

      • spec.policies.priorityClassNames
        array of strings

        List of allowed priority class names.

      • spec.policies.replicaLimits
        object

        A range of allowed replicas. Values are inclusive.

        • spec.policies.replicaLimits.maxReplicas
          integer

          The maximum number of replicas allowed, inclusive.

        • spec.policies.replicaLimits.minReplicas
          integer

          The minimum number of replicas allowed, inclusive.

      • spec.policies.requiredAnnotations
        object

        A list of annotations and values the object must specify.

        • spec.policies.requiredAnnotations.annotations
          array of objects
          • spec.policies.requiredAnnotations.annotations.allowedRegex
            string

            If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredAnnotations.annotations.key
            string

            The required annotation.

        • spec.policies.requiredAnnotations.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment
            
            "/Pod"
            
            networking.k8s.io/Ingress
            
      • spec.policies.requiredLabels
        object

        A list of labels and values the object must specify.

        • spec.policies.requiredLabels.labels
          array of objects
          • spec.policies.requiredLabels.labels.allowedRegex
            string

            If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredLabels.labels.key
            string

            The required label.

        • spec.policies.requiredLabels.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment
            
            "/Pod"
            
            networking.k8s.io/Ingress
            
      • spec.policies.requiredProbes
        array of strings

        The list of probes that are required (e.g. readinessProbe and livenessProbe)

        Example:

        requiredProbes:
        - readinessProbe
        - livenessProbe
        
        • Element of the array
          string

          Allowed values: livenessProbe, readinessProbe, startupProbe

      • spec.policies.requiredResources
        object

        Requires containers to have defined resources set.

        • spec.policies.requiredResources.limits
          array of strings

          A list of limits that should be enforced (CPU, memory, or both).

          • Element of the array
            string

            Allowed values: cpu, memory

        • spec.policies.requiredResources.requests
          array of strings

          A list of requests that should be enforced (CPU, memory, or both).

          • Element of the array
            string

            Allowed values: cpu, memory

      • spec.policies.storageClassNames
        array of strings

        List of allowed storage class names.