Custom resource OperationPolicy

OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

• spec

  object

  Required value

  • spec.enforcementAction

    string

    The enforcement action to control what to do with the result of the constraint.

    • Deny — Deny action.
    • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
    • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

    Default: "Deny"

    Allowed values: Warn, Deny, Dryrun

  • spec.match

    object

    Required value

    • spec.match.labelSelector

      object

      Specifies the label selector to filter Pods with.

      You can get more into here.

      • spec.match.labelSelector.matchExpressions

        array of objects

        List of label expressions for Pods.

        Example:

        matchExpressions:
        - key: tier
          operator: In
          values:
          - production
          - staging
        

        • spec.match.labelSelector.matchExpressions.key

          string

          Required value

        • spec.match.labelSelector.matchExpressions.operator

          string

          Required value

          Allowed values: In, NotIn, Exists, DoesNotExist

        • spec.match.labelSelector.matchExpressions.values

          array of strings
      • spec.match.labelSelector.matchLabels

        object

        List of labels which Pod should have.

        Example:

        matchLabels:
          foo: bar
          baz: who
        

    • spec.match.namespaceSelector

      object

      Specifies the Namespace selector to filter objects with.

      • spec.match.namespaceSelector.excludeNames

        array of strings

        Include all namespaces except a particular set. Support glob pattern.

      • spec.match.namespaceSelector.labelSelector

        object

        Specifies the label selector to filter namespaces.

        You can get more info in the documentation.

        • spec.match.namespaceSelector.labelSelector.matchExpressions

          array of objects

          List of label expressions for namespaces.

          Example:

          matchExpressions:
          - key: tier
            operator: In
            values:
            - production
            - staging
          

          • spec.match.namespaceSelector.labelSelector.matchExpressions.key

            string

            Required value

          • spec.match.namespaceSelector.labelSelector.matchExpressions.operator

            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.namespaceSelector.labelSelector.matchExpressions.values

            array of strings
        • spec.match.namespaceSelector.labelSelector.matchLabels

          object

          List of labels which a namespace should have.

          Example:

          matchLabels:
            foo: bar
            baz: who
          

      • spec.match.namespaceSelector.matchNames

        array of strings

        Include only a particular set of namespaces. Supports glob pattern.

  • spec.policies

    object

    Required value

    • spec.policies.allowedRepos

      array of strings

      The list of prefixes a container image is allowed to have.

      • Element of the array

        string

        Example:

        registry.deckhouse.io
        

    • spec.policies.checkContainerDuplicates

      boolean

      Check container names and env variables for duplicates.

    • spec.policies.checkHostNetworkDNSPolicy

      boolean

      Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

    • spec.policies.disallowedImageTags

      array of strings

      Requires container images to have an image tag different from the ones in the specified list.

      Example:

      disallowedImageTags: latest
      

    • spec.policies.imagePullPolicy

      string

      Required image pull policy for containers.

      Allowed values: Always, IfNotPresent

    • spec.policies.ingressClassNames

      array of strings

      List of allowed ingress class names.

    • spec.policies.maxRevisionHistoryLimit

      integer

      A maximum value for a revision history.

    • spec.policies.priorityClassNames

      array of strings

      List of allowed priority class names.

    • spec.policies.replicaLimits

      object

      A range of allowed replicas. Values are inclusive.

      • spec.policies.replicaLimits.maxReplicas

        integer

        The maximum number of replicas allowed, inclusive.

      • spec.policies.replicaLimits.minReplicas

        integer

        The minimum number of replicas allowed, inclusive.

    • spec.policies.requiredAnnotations

      object

      A list of annotations and values the object must specify.

      • spec.policies.requiredAnnotations.annotations

        array of objects
        • spec.policies.requiredAnnotations.annotations.allowedRegex

          string

          If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

        • spec.policies.requiredAnnotations.annotations.key

          string

          The required annotation.

      • spec.policies.requiredAnnotations.watchKinds

        array of strings

        The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

        • Element of the array

          string

          Pattern: ^[a-z]*/[a-zA-Z]+$

          Examples:

          apps/Deployment
          

          "/Pod"
          

          networking.k8s.io/Ingress
          

    • spec.policies.requiredLabels

      object

      A list of labels and values the object must specify.

      • spec.policies.requiredLabels.labels

        array of objects
        • spec.policies.requiredLabels.labels.allowedRegex

          string

          If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

        • spec.policies.requiredLabels.labels.key

          string

          The required label.

      • spec.policies.requiredLabels.watchKinds

        array of strings

        The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

        • Element of the array

          string

          Pattern: ^[a-z]*/[a-zA-Z]+$

          Examples:

          apps/Deployment
          

          "/Pod"
          

          networking.k8s.io/Ingress
          

    • spec.policies.requiredProbes

      array of strings

      The list of probes that are required (e.g. readinessProbe and livenessProbe)

      Example:

      requiredProbes:
      - readinessProbe
      - livenessProbe
      

      • Element of the array

        string

        Allowed values: livenessProbe, readinessProbe, startupProbe

    • spec.policies.requiredResources

      object

      Requires containers to have defined resources set.

      • spec.policies.requiredResources.limits

        array of strings

        A list of limits that should be enforced (CPU, memory, or both).

        • Element of the array

          string

          Allowed values: cpu, memory

      • spec.policies.requiredResources.requests

        array of strings

        A list of requests that should be enforced (CPU, memory, or both).

        • Element of the array

          string

          Allowed values: cpu, memory

    • spec.policies.storageClassNames

      array of strings

      List of allowed storage class names.