Policy
Policy is the schema for provider definitions in terraform controller
Version v1alpha1
Properties
.apiVersion
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
.kind
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
.metadata
.spec
PolicySpec defines the desired state of a provider
.spec.constraints
Constraints provides a series or constraints that must be enforced on the selectored terraform configurations.
.spec.constraints.checkov
Checkov provides the ability to enforce a set of security standards on all configurations. These can be configured to target specific resources based on namespace and resource labels
.spec.constraints.checkov.checks
Checks is a list of checks which should be applied against the configuration. Note, an empty list here implies checkov should run ALL checks. Please see https://www.checkov.io/5.Policy%20Index/terraform.html
.spec.constraints.checkov.checks[*]
.spec.constraints.checkov.external
External is a collection of external checks which should be included in the scan. Each of the external sources and retrieved and sourced into /run/policy/NAME where they can be included as part of the scan
.spec.constraints.checkov.external[*]
ExternalCheck defines the definition for an external check - this comprises of the source and any optional secret
.spec.constraints.checkov.external[*].name
Name provides a arbitrary name to the checks - note, this name is used as the directory name when we source the code
.spec.constraints.checkov.external[*].secretRef
SecretRef is reference to secret which contains environment variables used by the source command to retrieve the code. This could be cloud credentials, ssh keys, git username and password etc
.spec.constraints.checkov.external[*].secretRef.name
name is unique within a namespace to reference a secret resource.
.spec.constraints.checkov.external[*].secretRef.namespace
namespace defines the space within which the secret name must be unique.
.spec.constraints.checkov.external[*].url
URL is the source external checks - this is usually a git repository. The notation for this is https://github.com/hashicorp/go-getter
.spec.constraints.checkov.selector
Selector is the selector on the namespace or labels on the configuration. By leaving this fields empty you can implicitly selecting all configurations.
.spec.constraints.checkov.selector.namespace
Namespace is used to filter a configuration based on the namespace labels of where it exists
.spec.constraints.checkov.selector.namespace.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
.spec.constraints.checkov.selector.namespace.matchExpressions[*]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
.spec.constraints.checkov.selector.namespace.matchExpressions[*].key
key is the label key that the selector applies to.
.spec.constraints.checkov.selector.namespace.matchExpressions[*].operator
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
.spec.constraints.checkov.selector.namespace.matchExpressions[*].values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
.spec.constraints.checkov.selector.namespace.matchExpressions[*].values[*]
.spec.constraints.checkov.selector.namespace.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
.spec.constraints.checkov.selector.resource
Resource provides the ability to filter a configuration based on it’s labels
.spec.constraints.checkov.selector.resource.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
.spec.constraints.checkov.selector.resource.matchExpressions[*]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
.spec.constraints.checkov.selector.resource.matchExpressions[*].key
key is the label key that the selector applies to.
.spec.constraints.checkov.selector.resource.matchExpressions[*].operator
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
.spec.constraints.checkov.selector.resource.matchExpressions[*].values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
.spec.constraints.checkov.selector.resource.matchExpressions[*].values[*]
.spec.constraints.checkov.selector.resource.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
.spec.constraints.checkov.skipChecks
SkipChecks is a collection of checkov checks which you can defined as skipped. The security scan will ignore any failures on these checks.
.spec.constraints.checkov.skipChecks[*]
.spec.constraints.checkov.source
Source indicates an external source for the checkov configurations
.spec.constraints.checkov.source.configuration
Configuration is the configuration to use within the source directory
.spec.constraints.checkov.source.secretRef
SecretRef is reference to secret which contains environment variables used by the source command to retrieve the code. This could be cloud credentials, ssh keys, git username and password etc
.spec.constraints.checkov.source.secretRef.name
name is unique within a namespace to reference a secret resource.
.spec.constraints.checkov.source.secretRef.namespace
namespace defines the space within which the secret name must be unique.
.spec.constraints.checkov.source.url
URL is the source external checks - this is usually a git repository. The notation for this is https://github.com/hashicorp/go-getter
.spec.constraints.modules
Modules provides the ability to control the source for all terraform modules. Allowing platform teams to control where the modules can be downloaded from.
.spec.constraints.modules.allowed
Allowed is a collection of regexes which are applied to the source of the terraform configuration. The configuration MUST match one or more of the regexes in order to be allowed to run.
.spec.constraints.modules.allowed[*]
.spec.constraints.modules.selector
Selector is the selector on the namespace or labels on the configuration. By leaving this field empty you are implicitly selecting all configurations.
.spec.constraints.modules.selector.namespace
Namespace is used to filter a configuration based on the namespace labels of where it exists
.spec.constraints.modules.selector.namespace.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
.spec.constraints.modules.selector.namespace.matchExpressions[*]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
.spec.constraints.modules.selector.namespace.matchExpressions[*].key
key is the label key that the selector applies to.
.spec.constraints.modules.selector.namespace.matchExpressions[*].operator
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
.spec.constraints.modules.selector.namespace.matchExpressions[*].values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
.spec.constraints.modules.selector.namespace.matchExpressions[*].values[*]
.spec.constraints.modules.selector.namespace.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
.spec.constraints.modules.selector.resource
Resource provides the ability to filter a configuration based on it’s labels
.spec.constraints.modules.selector.resource.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
.spec.constraints.modules.selector.resource.matchExpressions[*]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
.spec.constraints.modules.selector.resource.matchExpressions[*].key
key is the label key that the selector applies to.
.spec.constraints.modules.selector.resource.matchExpressions[*].operator
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
.spec.constraints.modules.selector.resource.matchExpressions[*].values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
.spec.constraints.modules.selector.resource.matchExpressions[*].values[*]
.spec.constraints.modules.selector.resource.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
.spec.defaults
Defaults provides the ability to target specific terraform module based on namespace or resource labels and automatically inject variables into the configurations.
.spec.defaults[*]
DefaultVariables provides platform administrators the ability to inject default variables into a configuration
.spec.defaults[*].secrets
Secrets is a collection of secrets which are used to inject variables into the configuration
.spec.defaults[*].secrets[*]
.spec.defaults[*].selector
Selector is used to determine which configurations the variables should be injected into
.spec.defaults[*].selector.modules
Modules provides a collection of regexes which are used to match against the configuration module
.spec.defaults[*].selector.modules[*]
.spec.defaults[*].selector.namespace
Namespace selectors all configurations under one or more namespaces, determined by the labeling on the namespace.
.spec.defaults[*].selector.namespace.matchExpressions
matchExpressions is a list of label selector requirements. The requirements are ANDed.
.spec.defaults[*].selector.namespace.matchExpressions[*]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
.spec.defaults[*].selector.namespace.matchExpressions[*].key
key is the label key that the selector applies to.
.spec.defaults[*].selector.namespace.matchExpressions[*].operator
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
.spec.defaults[*].selector.namespace.matchExpressions[*].values
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
.spec.defaults[*].selector.namespace.matchExpressions[*].values[*]
.spec.defaults[*].selector.namespace.matchLabels
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
.spec.defaults[*].variables
Variables is a collection of variables to inject into the configuration
.spec.summary
Summary is an optional field which can be used to define a summary of what the policy is configured to enforce.
.status
PolicyStatus defines the observed state of a provider
.status.conditions
Conditions represents the observations of the resource’s current state.
.status.conditions[*]
Condition is the current observed condition of some aspect of a resource
.status.conditions[*].detail
Detail is any additional human-readable detail to understand this condition, for example, the full underlying error which caused an issue
.status.conditions[*].lastTransitionTime
LastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
.status.conditions[*].message
Message is a human readable message indicating details about the transition. This may be an empty string.
.status.conditions[*].name
Name is a human-readable name for this condition.
.status.conditions[*].observedGeneration
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
.status.conditions[*].reason
Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
.status.conditions[*].status
Status of the condition, one of True, False, Unknown.
.status.conditions[*].type
Type of condition in CamelCase or in foo.example.com/CamelCase. — Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
.status.lastReconcile
LastReconcile describes the generation and time of the last reconciliation
.status.lastReconcile.generation
Generation is the generation reconciled on the last reconciliation
.status.lastReconcile.time
Time is the last time the resource was reconciled
.status.lastSuccess
LastSuccess descibes the generation and time of the last reconciliation which resulted in a Success status
.status.lastSuccess.generation
Generation is the generation reconciled on the last reconciliation
.status.lastSuccess.time
Time is the last time the resource was reconciled