Skip to main content

Policy

Policy is the schema for provider definitions in terraform controller

Full name:
policies.terraform.appvia.io
Group:
terraform.appvia.io
Singular name:
policy
Plural name:
policies
Scope:
Cluster
Versions:
v1alpha1

Version v1alpha1

Properties

.apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

.kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

.metadata

object

.spec

object

PolicySpec defines the desired state of a provider

.spec.constraints

object

Constraints provides a series or constraints that must be enforced on the selectored terraform configurations.

.spec.constraints.checkov

object

Checkov provides the ability to enforce a set of security standards on all configurations. These can be configured to target specific resources based on namespace and resource labels

.spec.constraints.checkov.checks

array

Checks is a list of checks which should be applied against the configuration. Note, an empty list here implies checkov should run ALL checks. Please see https://www.checkov.io/5.Policy%20Index/terraform.html

.spec.constraints.checkov.checks[*]

string

.spec.constraints.checkov.external

array

External is a collection of external checks which should be included in the scan. Each of the external sources and retrieved and sourced into /run/policy/NAME where they can be included as part of the scan

.spec.constraints.checkov.external[*]

object

ExternalCheck defines the definition for an external check - this comprises of the source and any optional secret

.spec.constraints.checkov.external[*].name

string

Name provides a arbitrary name to the checks - note, this name is used as the directory name when we source the code

.spec.constraints.checkov.external[*].secretRef

object

SecretRef is reference to secret which contains environment variables used by the source command to retrieve the code. This could be cloud credentials, ssh keys, git username and password etc

.spec.constraints.checkov.external[*].secretRef.name

string

name is unique within a namespace to reference a secret resource.

.spec.constraints.checkov.external[*].secretRef.namespace

string

namespace defines the space within which the secret name must be unique.

.spec.constraints.checkov.external[*].url

string

URL is the source external checks - this is usually a git repository. The notation for this is https://github.com/hashicorp/go-getter

.spec.constraints.checkov.selector

object

Selector is the selector on the namespace or labels on the configuration. By leaving this fields empty you can implicitly selecting all configurations.

.spec.constraints.checkov.selector.namespace

object

Namespace is used to filter a configuration based on the namespace labels of where it exists

.spec.constraints.checkov.selector.namespace.matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

.spec.constraints.checkov.selector.namespace.matchExpressions[*]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

.spec.constraints.checkov.selector.namespace.matchExpressions[*].key

stringRequired

key is the label key that the selector applies to.

.spec.constraints.checkov.selector.namespace.matchExpressions[*].operator

stringRequired

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

.spec.constraints.checkov.selector.namespace.matchExpressions[*].values

array

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

.spec.constraints.checkov.selector.namespace.matchExpressions[*].values[*]

string

.spec.constraints.checkov.selector.namespace.matchLabels

object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

.spec.constraints.checkov.selector.resource

object

Resource provides the ability to filter a configuration based on it’s labels

.spec.constraints.checkov.selector.resource.matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

.spec.constraints.checkov.selector.resource.matchExpressions[*]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

.spec.constraints.checkov.selector.resource.matchExpressions[*].key

stringRequired

key is the label key that the selector applies to.

.spec.constraints.checkov.selector.resource.matchExpressions[*].operator

stringRequired

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

.spec.constraints.checkov.selector.resource.matchExpressions[*].values

array

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

.spec.constraints.checkov.selector.resource.matchExpressions[*].values[*]

string

.spec.constraints.checkov.selector.resource.matchLabels

object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

.spec.constraints.checkov.skipChecks

array

SkipChecks is a collection of checkov checks which you can defined as skipped. The security scan will ignore any failures on these checks.

.spec.constraints.checkov.skipChecks[*]

string

.spec.constraints.checkov.source

object

Source indicates an external source for the checkov configurations

.spec.constraints.checkov.source.configuration

string

Configuration is the configuration to use within the source directory

.spec.constraints.checkov.source.secretRef

object

SecretRef is reference to secret which contains environment variables used by the source command to retrieve the code. This could be cloud credentials, ssh keys, git username and password etc

.spec.constraints.checkov.source.secretRef.name

string

name is unique within a namespace to reference a secret resource.

.spec.constraints.checkov.source.secretRef.namespace

string

namespace defines the space within which the secret name must be unique.

.spec.constraints.checkov.source.url

string

URL is the source external checks - this is usually a git repository. The notation for this is https://github.com/hashicorp/go-getter

.spec.constraints.modules

object

Modules provides the ability to control the source for all terraform modules. Allowing platform teams to control where the modules can be downloaded from.

.spec.constraints.modules.allowed

array

Allowed is a collection of regexes which are applied to the source of the terraform configuration. The configuration MUST match one or more of the regexes in order to be allowed to run.

.spec.constraints.modules.allowed[*]

string

.spec.constraints.modules.selector

object

Selector is the selector on the namespace or labels on the configuration. By leaving this field empty you are implicitly selecting all configurations.

.spec.constraints.modules.selector.namespace

object

Namespace is used to filter a configuration based on the namespace labels of where it exists

.spec.constraints.modules.selector.namespace.matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

.spec.constraints.modules.selector.namespace.matchExpressions[*]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

.spec.constraints.modules.selector.namespace.matchExpressions[*].key

stringRequired

key is the label key that the selector applies to.

.spec.constraints.modules.selector.namespace.matchExpressions[*].operator

stringRequired

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

.spec.constraints.modules.selector.namespace.matchExpressions[*].values

array

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

.spec.constraints.modules.selector.namespace.matchExpressions[*].values[*]

string

.spec.constraints.modules.selector.namespace.matchLabels

object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

.spec.constraints.modules.selector.resource

object

Resource provides the ability to filter a configuration based on it’s labels

.spec.constraints.modules.selector.resource.matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

.spec.constraints.modules.selector.resource.matchExpressions[*]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

.spec.constraints.modules.selector.resource.matchExpressions[*].key

stringRequired

key is the label key that the selector applies to.

.spec.constraints.modules.selector.resource.matchExpressions[*].operator

stringRequired

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

.spec.constraints.modules.selector.resource.matchExpressions[*].values

array

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

.spec.constraints.modules.selector.resource.matchExpressions[*].values[*]

string

.spec.constraints.modules.selector.resource.matchLabels

object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

.spec.defaults

array

Defaults provides the ability to target specific terraform module based on namespace or resource labels and automatically inject variables into the configurations.

.spec.defaults[*]

object

DefaultVariables provides platform administrators the ability to inject default variables into a configuration

.spec.defaults[*].selector

objectRequired

Selector is used to determine which configurations the variables should be injected into

.spec.defaults[*].selector.modules

array

Modules provides a collection of regexes which are used to match against the configuration module

.spec.defaults[*].selector.modules[*]

string

.spec.defaults[*].selector.namespace

object

Namespace selectors all configurations under one or more namespaces, determined by the labeling on the namespace.

.spec.defaults[*].selector.namespace.matchExpressions

array

matchExpressions is a list of label selector requirements. The requirements are ANDed.

.spec.defaults[*].selector.namespace.matchExpressions[*]

object

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

.spec.defaults[*].selector.namespace.matchExpressions[*].key

stringRequired

key is the label key that the selector applies to.

.spec.defaults[*].selector.namespace.matchExpressions[*].operator

stringRequired

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

.spec.defaults[*].selector.namespace.matchExpressions[*].values

array

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

.spec.defaults[*].selector.namespace.matchExpressions[*].values[*]

string

.spec.defaults[*].selector.namespace.matchLabels

object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.

.spec.defaults[*].variables

objectRequired

Variables is a collection of variables to inject into the configuration

.spec.summary

string

Summary is an optional field which can be used to define a summary of what the policy is configured to enforce.

.status

object

PolicyStatus defines the observed state of a provider

.status.conditions

array

Conditions represents the observations of the resource’s current state.

.status.conditions[*]

object

Condition is the current observed condition of some aspect of a resource

.status.conditions[*].detail

string

Detail is any additional human-readable detail to understand this condition, for example, the full underlying error which caused an issue

.status.conditions[*].lastTransitionTime

string

LastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

.status.conditions[*].message

string

Message is a human readable message indicating details about the transition. This may be an empty string.

.status.conditions[*].name

stringRequired

Name is a human-readable name for this condition.

.status.conditions[*].observedGeneration

integer

ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

.status.conditions[*].reason

stringRequired

Reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

.status.conditions[*].status

stringRequired

Status of the condition, one of True, False, Unknown.

.status.conditions[*].type

stringRequired

Type of condition in CamelCase or in foo.example.com/CamelCase. — Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

.status.lastReconcile

object

LastReconcile describes the generation and time of the last reconciliation

.status.lastReconcile.generation

integer

Generation is the generation reconciled on the last reconciliation

.status.lastReconcile.time

string

Time is the last time the resource was reconciled

.status.lastSuccess

object

LastSuccess descibes the generation and time of the last reconciliation which resulted in a Success status

.status.lastSuccess.generation

integer

Generation is the generation reconciled on the last reconciliation

.status.lastSuccess.time

string

Time is the last time the resource was reconciled