diff --git a/build/crd-sync.sh b/build/crd-sync.sh index efe1f23d..867dda9e 100755 --- a/build/crd-sync.sh +++ b/build/crd-sync.sh @@ -47,6 +47,10 @@ generate_v1beta1() { generate_v1beta1 ../policy-crd-v1beta1.yaml ) +crdPrefix='# Copyright Contributors to the Open Cluster Management project + +{{- if semverCompare "< 1.16.0" (.Values.hostingClusterCapabilities.KubeVersion.Version | default .Capabilities.KubeVersion.Version) }}' + addLocationLabel='.metadata.labels += {"addon.open-cluster-management.io/hosted-manifest-location": "hosting"}' addTemplateLabel='.metadata.labels += {"policy.open-cluster-management.io/policy-type": "template"}' @@ -56,9 +60,7 @@ addTempAnnotation='.metadata.annotations += {"SEDTARGET": "SEDTARGET"}' replaceAnnotation='s/SEDTARGET: SEDTARGET/{{ if .Values.onMulticlusterHub }}"addon.open-cluster-management.io\/deletion-orphan": ""{{ end }}/g' cat > pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_configurationpolicies_crd.yaml << EOF -# Copyright Contributors to the Open Cluster Management project - -{{- if semverCompare "< 1.16.0" .Capabilities.KubeVersion.Version }} +${crdPrefix} $(yq e "$addLocationLabel | $addTemplateLabel" .go/config-policy-crd-v1beta1.yaml) {{ else }} $(yq e "$addLocationLabel" .go/config-policy-crd-v1.yaml) @@ -66,17 +68,13 @@ $(yq e "$addLocationLabel" .go/config-policy-crd-v1.yaml) EOF cat > pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_operatorpolicies_crd.yaml << EOF -# Copyright Contributors to the Open Cluster Management project - -{{- if semverCompare "> 1.16.0" .Capabilities.KubeVersion.Version }} +$(echo "${crdPrefix}" | sed 's//') $(yq e "$addLocationLabel" .go/operator-policy-crd-v1.yaml) {{- end }} EOF cat > pkg/addon/policyframework/manifests/managedclusterchart/templates/policy.open-cluster-management.io_policies_crd.yaml << EOF -# Copyright Contributors to the Open Cluster Management project - -{{- if semverCompare "< 1.16.0" .Capabilities.KubeVersion.Version }} +${crdPrefix} $(yq e "$addTempAnnotation | $addLocationLabel" .go/policy-crd-v1beta1.yaml | sed -E "$replaceAnnotation") {{ else }} $(yq e "$addTempAnnotation | $addLocationLabel" .go/policy-crd-v1.yaml | sed -E "$replaceAnnotation") diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_operatorpolicies_crd.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_operatorpolicies_crd.yaml index cf105dcd..c21cde62 100644 --- a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_operatorpolicies_crd.yaml +++ b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/policy.open-cluster-management.io_operatorpolicies_crd.yaml @@ -49,6 +49,7 @@ spec: description: ComplianceType describes whether we must or must not have a given resource enum: - musthave + - mustnothave type: string operatorGroup: description: |- @@ -65,6 +66,56 @@ spec: - Enforce - enforce type: string + removalBehavior: + default: {} + description: |- + RemovalBehavior defines what resources will be removed by enforced mustnothave policies. + When in inform mode, any resources that would be deleted if the policy was enforced will + be causes for NonCompliance, but resources that would be kept will be considered Compliant. + properties: + clusterServiceVersions: + default: Delete + description: Specifies whether to delete the ClusterServiceVersion; defaults to 'Delete' + enum: + - Keep + - Delete + type: string + customResourceDefinitions: + default: Keep + description: |- + Specifies whether to delete any CustomResourceDefinitions associated with the operator; + defaults to 'Keep' because deleting them should be done deliberately + enum: + - Keep + - Delete + type: string + installPlans: + default: Keep + description: |- + Specifies whether to delete any InstallPlans associated with the operator; defaults + to 'Keep' because those objects are only for history + enum: + - Keep + - Delete + type: string + operatorGroups: + default: DeleteIfUnused + description: |- + Specifies whether to delete the OperatorGroup; defaults to 'DeleteIfUnused' which + will only delete the OperatorGroup if there is not another Subscription using it. + enum: + - Keep + - Delete + - DeleteIfUnused + type: string + subscriptions: + default: Delete + description: Specifies whether to delete the Subscription; defaults to 'Delete' + enum: + - Keep + - Delete + type: string + type: object severity: description: 'Severity : low, medium, high, or critical' enum: diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/templates/policy.open-cluster-management.io_policies_crd.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/templates/policy.open-cluster-management.io_policies_crd.yaml index 5d93f950..18e26bea 100644 --- a/pkg/addon/policyframework/manifests/managedclusterchart/templates/policy.open-cluster-management.io_policies_crd.yaml +++ b/pkg/addon/policyframework/manifests/managedclusterchart/templates/policy.open-cluster-management.io_policies_crd.yaml @@ -33,7 +33,9 @@ spec: scope: Namespaced validation: openAPIV3Schema: - description: Policy is the Schema for the policies API + description: |- + Policy is the schema for the policies API. Policy wraps other policy engine resources in its + "policy-templates" array in order to deliver the resources to managed clusters. properties: apiVersion: description: |- @@ -53,16 +55,25 @@ spec: metadata: type: object spec: - description: PolicySpec defines the desired state of Policy + description: |- + PolicySpec defines the configurations of the policy engine resources to deliver to the managed + clusters. properties: copyPolicyMetadata: description: |- - If set to true (default), all the policy's labels and annotations will be copied to the replicated policy. - If set to false, only the policy framework specific policy labels and annotations will be copied to the - replicated policy. + CopyPolicyMetadata specifies whether the labels and annotations of a policy should be copied + when replicating the policy to a managed cluster. If set to "true", all of the labels and + annotations of the policy are copied to the replicated policy. If set to "false", only the + policy framework-specific policy labels and annotations are copied to the replicated policy. + This setting is useful if there is tracking for metadata that should only exist on the root + policy. It is recommended to set this to "false" when using Argo CD to deploy the policy + definition since Argo CD uses metadata for tracking that should not be replicated. The default + value is "true". type: boolean dependencies: - description: PolicyDependencies that apply to each template in this Policy + description: |- + PolicyDependencies is a list of dependency objects detailed with extra considerations for + compliance that should be fulfilled before applying the policies to the managed clusters. items: description: |- Each PolicyDependency defines an object reference which must be in a certain compliance @@ -76,7 +87,9 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string compliance: - description: The ComplianceState (at path .status.compliant) required before the policy should be created + description: |- + Compliance is the required ComplianceState of the object that the policy depends on, at the + following path, .status.compliant. enum: - Compliant - Pending @@ -91,10 +104,10 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: The name of the object to be checked + description: Name is the name of the object that the policy depends on. type: string namespace: - description: The namespace of the object to be checked (optional) + description: Namespace is the namespace of the object that the policy depends on (optional). type: string required: - compliance @@ -102,15 +115,25 @@ spec: type: object type: array disabled: - description: This provides the ability to enable and disable your policies. + description: |- + Disabled is a boolean parameter you can use to enable and disable the policy. When disabled, + the policy is removed from managed clusters. type: boolean policy-templates: - description: Used to create one or more policies to apply to a managed cluster + description: |- + PolicyTemplates is a list of definitions of policy engine resources to apply to managed + clusters along with configurations on how it should be applied. items: - description: PolicyTemplate template for custom security policy + description: |- + PolicyTemplate is the definition of the policy engine resource to apply to the managed cluster, + along with configurations on how it should be applied. properties: extraDependencies: - description: Additional PolicyDependencies that only apply to this template + description: |- + ExtraDependencies is additional PolicyDependencies that only apply to this policy template. + ExtraDependencies is a list of dependency objects detailed with extra considerations for + compliance that should be fulfilled before applying the policy template to the managed + clusters. items: description: |- Each PolicyDependency defines an object reference which must be in a certain compliance @@ -124,7 +147,9 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string compliance: - description: The ComplianceState (at path .status.compliant) required before the policy should be created + description: |- + Compliance is the required ComplianceState of the object that the policy depends on, at the + following path, .status.compliant. enum: - Compliant - Pending @@ -139,10 +164,10 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: The name of the object to be checked + description: Name is the name of the object that the policy depends on. type: string namespace: - description: The namespace of the object to be checked (optional) + description: Namespace is the namespace of the object that the policy depends on (optional). type: string required: - compliance @@ -150,7 +175,10 @@ spec: type: object type: array ignorePending: - description: Ignore this template's Pending status when calculating the overall Policy status + description: |- + IgnorePending is a boolean parameter to specify whether to ignore the "Pending" status of this + template when calculating the overall policy status. The default value is "false" to not ignore a + "Pending" status. type: boolean objectDefinition: description: A Kubernetes object defining the policy to apply to a managed cluster @@ -161,7 +189,11 @@ spec: type: object type: array remediationAction: - description: This value (Enforce or Inform) will override the remediationAction on each template + description: |- + RemediationAction specifies the remediation of the policy. The parameter values are "enforce" + and "inform". If specified, the value that is defined overrides any remediationAction parameter + defined in the child policies in the "policy-templates" section. Important: Not all policy + engine kinds support the enforce feature. enum: - Inform - inform @@ -173,32 +205,46 @@ spec: - policy-templates type: object status: - description: PolicyStatus defines the observed state of Policy + description: PolicyStatus reports the observed status of the policy resulting from its policy templates. properties: compliant: - description: ComplianceState shows the state of enforcement + description: |- + ComplianceState reports the observed status resulting from the definitions of this policy. This + status field is only used in the replicated policy in the managed cluster namespace. enum: - Compliant - Pending - NonCompliant type: string details: + description: |- + Details is the list of compliance details for each policy template definition. This status + field is only used in the replicated policy in the managed cluster namespace. items: - description: DetailsPerTemplate defines compliance details and history + description: |- + DetailsPerTemplate reports the current compliance state and list of recent compliance messages + for a given policy template. properties: compliant: - description: ComplianceState shows the state of enforcement + description: ComplianceState reports the observed status resulting from the definitions of the policy. + enum: + - Compliant + - Pending + - NonCompliant type: string history: items: - description: ComplianceHistory defines compliance details history + description: ComplianceHistory reports a compliance message from a given time and event. properties: eventName: + description: EventName is the name of the event attached to the message. type: string lastTimestamp: + description: LastTimestamp is the timestamp of the event that reported the message. format: date-time type: string message: + description: Message is the compliance message resulting from evaluating the policy resource. type: string type: object type: array @@ -208,12 +254,16 @@ spec: type: object type: array placement: + description: |- + Placement is a list of managed cluster placement resources bound to the policy. This status + field is only used in the root policy on the hub cluster. items: - description: Placement defines the placement results + description: Placement reports how and what managed cluster placement resources are attached to the policy. properties: decisions: + description: Decisions is the list of managed clusters returned by the placement resource for this binding. items: - description: PlacementDecision defines the decision made by controller + description: PlacementDecision is the cluster name returned by the placement resource. properties: clusterName: type: string @@ -222,25 +272,47 @@ spec: type: object type: array placement: + description: |- + Placement is the name of the Placement resource, from the cluster.open-cluster-management.io + API group, that is bound to the policy. type: string placementBinding: + description: |- + PlacementBinding is the name of the PlacementBinding resource, from the + policies.open-cluster-management.io API group, that binds the placement resource to the policy. type: string placementRule: + description: |- + PlacementRule (deprecated) is the name of the PlacementRule resource, from the + apps.open-cluster-management.io API group, that is bound to the policy. type: string policySet: + description: |- + PolicySet is the name of the policy set containing this policy and bound to the placement. If + specified, then for this placement the policy is being propagated through this policy set + rather than the policy being bound directly to a placement and propagated individually. type: string type: object type: array status: + description: |- + Status is a list of managed clusters and the current compliance state of each one. This + status field is only used in the root policy on the hub cluster. items: - description: CompliancePerClusterStatus defines compliance per cluster status + description: |- + CompliancePerClusterStatus reports the name of a managed cluster and its compliance state for + this policy. properties: clustername: type: string clusternamespace: type: string compliant: - description: ComplianceState shows the state of enforcement + description: ComplianceState reports the observed status resulting from the definitions of the policy. + enum: + - Compliant + - Pending + - NonCompliant type: string type: object type: array @@ -289,7 +361,9 @@ spec: name: v1 schema: openAPIV3Schema: - description: Policy is the Schema for the policies API + description: |- + Policy is the schema for the policies API. Policy wraps other policy engine resources in its + "policy-templates" array in order to deliver the resources to managed clusters. properties: apiVersion: description: |- @@ -309,16 +383,25 @@ spec: metadata: type: object spec: - description: PolicySpec defines the desired state of Policy + description: |- + PolicySpec defines the configurations of the policy engine resources to deliver to the managed + clusters. properties: copyPolicyMetadata: description: |- - If set to true (default), all the policy's labels and annotations will be copied to the replicated policy. - If set to false, only the policy framework specific policy labels and annotations will be copied to the - replicated policy. + CopyPolicyMetadata specifies whether the labels and annotations of a policy should be copied + when replicating the policy to a managed cluster. If set to "true", all of the labels and + annotations of the policy are copied to the replicated policy. If set to "false", only the + policy framework-specific policy labels and annotations are copied to the replicated policy. + This setting is useful if there is tracking for metadata that should only exist on the root + policy. It is recommended to set this to "false" when using Argo CD to deploy the policy + definition since Argo CD uses metadata for tracking that should not be replicated. The default + value is "true". type: boolean dependencies: - description: PolicyDependencies that apply to each template in this Policy + description: |- + PolicyDependencies is a list of dependency objects detailed with extra considerations for + compliance that should be fulfilled before applying the policies to the managed clusters. items: description: |- Each PolicyDependency defines an object reference which must be in a certain compliance @@ -345,7 +428,9 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string compliance: - description: The ComplianceState (at path .status.compliant) required before the policy should be created + description: |- + Compliance is the required ComplianceState of the object that the policy depends on, at the + following path, .status.compliant. enum: - Compliant - Pending @@ -360,10 +445,10 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: The name of the object to be checked + description: Name is the name of the object that the policy depends on. type: string namespace: - description: The namespace of the object to be checked (optional) + description: Namespace is the namespace of the object that the policy depends on (optional). type: string required: - compliance @@ -371,15 +456,25 @@ spec: type: object type: array disabled: - description: This provides the ability to enable and disable your policies. + description: |- + Disabled is a boolean parameter you can use to enable and disable the policy. When disabled, + the policy is removed from managed clusters. type: boolean policy-templates: - description: Used to create one or more policies to apply to a managed cluster + description: |- + PolicyTemplates is a list of definitions of policy engine resources to apply to managed + clusters along with configurations on how it should be applied. items: - description: PolicyTemplate template for custom security policy + description: |- + PolicyTemplate is the definition of the policy engine resource to apply to the managed cluster, + along with configurations on how it should be applied. properties: extraDependencies: - description: Additional PolicyDependencies that only apply to this template + description: |- + ExtraDependencies is additional PolicyDependencies that only apply to this policy template. + ExtraDependencies is a list of dependency objects detailed with extra considerations for + compliance that should be fulfilled before applying the policy template to the managed + clusters. items: description: |- Each PolicyDependency defines an object reference which must be in a certain compliance @@ -406,7 +501,9 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string compliance: - description: The ComplianceState (at path .status.compliant) required before the policy should be created + description: |- + Compliance is the required ComplianceState of the object that the policy depends on, at the + following path, .status.compliant. enum: - Compliant - Pending @@ -421,10 +518,10 @@ spec: More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: The name of the object to be checked + description: Name is the name of the object that the policy depends on. type: string namespace: - description: The namespace of the object to be checked (optional) + description: Namespace is the namespace of the object that the policy depends on (optional). type: string required: - compliance @@ -432,7 +529,10 @@ spec: type: object type: array ignorePending: - description: Ignore this template's Pending status when calculating the overall Policy status + description: |- + IgnorePending is a boolean parameter to specify whether to ignore the "Pending" status of this + template when calculating the overall policy status. The default value is "false" to not ignore a + "Pending" status. type: boolean objectDefinition: description: A Kubernetes object defining the policy to apply to a managed cluster @@ -443,7 +543,11 @@ spec: type: object type: array remediationAction: - description: This value (Enforce or Inform) will override the remediationAction on each template + description: |- + RemediationAction specifies the remediation of the policy. The parameter values are "enforce" + and "inform". If specified, the value that is defined overrides any remediationAction parameter + defined in the child policies in the "policy-templates" section. Important: Not all policy + engine kinds support the enforce feature. enum: - Inform - inform @@ -455,32 +559,46 @@ spec: - policy-templates type: object status: - description: PolicyStatus defines the observed state of Policy + description: PolicyStatus reports the observed status of the policy resulting from its policy templates. properties: compliant: - description: ComplianceState shows the state of enforcement + description: |- + ComplianceState reports the observed status resulting from the definitions of this policy. This + status field is only used in the replicated policy in the managed cluster namespace. enum: - Compliant - Pending - NonCompliant type: string details: + description: |- + Details is the list of compliance details for each policy template definition. This status + field is only used in the replicated policy in the managed cluster namespace. items: - description: DetailsPerTemplate defines compliance details and history + description: |- + DetailsPerTemplate reports the current compliance state and list of recent compliance messages + for a given policy template. properties: compliant: - description: ComplianceState shows the state of enforcement + description: ComplianceState reports the observed status resulting from the definitions of the policy. + enum: + - Compliant + - Pending + - NonCompliant type: string history: items: - description: ComplianceHistory defines compliance details history + description: ComplianceHistory reports a compliance message from a given time and event. properties: eventName: + description: EventName is the name of the event attached to the message. type: string lastTimestamp: + description: LastTimestamp is the timestamp of the event that reported the message. format: date-time type: string message: + description: Message is the compliance message resulting from evaluating the policy resource. type: string type: object type: array @@ -490,12 +608,16 @@ spec: type: object type: array placement: + description: |- + Placement is a list of managed cluster placement resources bound to the policy. This status + field is only used in the root policy on the hub cluster. items: - description: Placement defines the placement results + description: Placement reports how and what managed cluster placement resources are attached to the policy. properties: decisions: + description: Decisions is the list of managed clusters returned by the placement resource for this binding. items: - description: PlacementDecision defines the decision made by controller + description: PlacementDecision is the cluster name returned by the placement resource. properties: clusterName: type: string @@ -504,25 +626,47 @@ spec: type: object type: array placement: + description: |- + Placement is the name of the Placement resource, from the cluster.open-cluster-management.io + API group, that is bound to the policy. type: string placementBinding: + description: |- + PlacementBinding is the name of the PlacementBinding resource, from the + policies.open-cluster-management.io API group, that binds the placement resource to the policy. type: string placementRule: + description: |- + PlacementRule (deprecated) is the name of the PlacementRule resource, from the + apps.open-cluster-management.io API group, that is bound to the policy. type: string policySet: + description: |- + PolicySet is the name of the policy set containing this policy and bound to the placement. If + specified, then for this placement the policy is being propagated through this policy set + rather than the policy being bound directly to a placement and propagated individually. type: string type: object type: array status: + description: |- + Status is a list of managed clusters and the current compliance state of each one. This + status field is only used in the root policy on the hub cluster. items: - description: CompliancePerClusterStatus defines compliance per cluster status + description: |- + CompliancePerClusterStatus reports the name of a managed cluster and its compliance state for + this policy. properties: clustername: type: string clusternamespace: type: string compliant: - description: ComplianceState shows the state of enforcement + description: ComplianceState reports the observed status resulting from the definitions of the policy. + enum: + - Compliant + - Pending + - NonCompliant type: string type: object type: array