deperecate policyset crd

weaveworks · Nov 26, 2023 · 359eb61 · 359eb61
1 parent a2a59c0
commit 359eb61
Show file tree

Hide file tree

Showing 30 changed files with 1,299 additions and 1,093 deletions.
diff --git a/api/v2beta2/policy_types.go b/api/v2beta2/policy_types.go
@@ -142,7 +142,6 @@ type PolicySpec struct {
 //+kubebuilder:printcolumn:name="Provider",type=string,JSONPath=`.spec.provider`
 //+kubebuilder:printcolumn:name="Modes",type=string,JSONPath=`.status.modes_str`
 //+kubebuilder:resource:scope=Cluster
-//+kubebuilder:storageversion
 //+kubebuilder:subresource:status
 
 // Policy is the Schema for the policies API

diff --git a/api/v2beta2/policyconfig_types.go b/api/v2beta2/policyconfig_types.go
@@ -68,7 +68,6 @@ type PolicyConfigSpec struct {
 
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster
-// +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
 // +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`

diff --git a/api/v2beta3/groupversion_info.go b/api/v2beta3/groupversion_info.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v2beta3 contains API Schema definitions for the  v2beta3 API group
+// +kubebuilder:object:generate=true
+// +groupName=pac.weave.works
+package v2beta3
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "pac.weave.works", Version: "v2beta2"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
diff --git a/api/v2beta3/policy_types.go b/api/v2beta3/policy_types.go
@@ -0,0 +1,147 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta3
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	PolicyResourceName       = "policies"
+	PolicyKind               = "Policy"
+	PolicyListKind           = "PolicyList"
+	TenancyTag               = "tenancy"
+	PolicyKubernetesProvider = "kubernetes"
+	PolicyTerraformProvider  = "terraform"
+)
+
+var (
+	PolicyGroupVersionResource = GroupVersion.WithResource(PolicyResourceName)
+)
+
+// PolicyParameters defines a needed input in a policy
+type PolicyParameters struct {
+	// Name is a descriptive name of a policy parameter
+	Name string `json:"name"`
+	// Type is the type of that parameter, integer, string,...
+	Type string `json:"type"`
+	// Required specifies if this is a necessary value or not
+	Required bool `json:"required"`
+	// +optional
+	// Value is the value for that parameter
+	Value *apiextensionsv1.JSON `json:"value,omitempty"`
+}
+
+// PolicyTargets are filters used to determine which resources should be evaluated against a policy
+type PolicyTargets struct {
+	// Kinds is a list of Kubernetes kinds that are supported by this policy
+	Kinds []string `json:"kinds"`
+	// +optional
+	// Labels is a list of Kubernetes labels that are needed to evaluate the policy against a resource
+	// this filter is statisfied if only one label existed, using * for value make it so it will match if the key exists regardless of its value
+	Labels []map[string]string `json:"labels"`
+	// +optional
+	// Namespaces is a list of Kubernetes namespaces that a resource needs to be a part of to evaluate against this policy
+	Namespaces []string `json:"namespaces"`
+}
+
+type PolicyStandard struct {
+	// ID idenitifer of the standarad
+	ID string `json:"id"`
+	// Controls standard controls
+	Controls []string `json:"controls,omitempty"`
+}
+
+// PolicySpec defines the desired state of Policy
+// It describes all that is needed to evaluate a resource against a rego code
+// +kubebuilder:object:generate:true
+type PolicySpec struct {
+	// Name is the policy name
+	Name string `json:"name"`
+	// ID is the policy unique identifier
+	ID string `json:"id"`
+	// Code contains the policy rego code
+	Code string `json:"code"`
+	// +optional
+	// Enabled flag for third parties consumers that indicates if this policy should be considered or not
+	Enabled bool `json:"enabled,omitempty"`
+	// +optional
+	// Parameters are the inputs needed for the policy validation
+	Parameters []PolicyParameters `json:"parameters,omitempty"`
+	// +optional
+	// Targets describes the required metadata that needs to be matched to evaluate a resource against the policy
+	// all values specified need to exist in the resource to be considered for evaluation
+	Targets PolicyTargets `json:"targets,omitempty"`
+	// Description is a summary of what that policy validates
+	Description string `json:"description"`
+	// HowToSolve is a description of the steps required to solve the issues reported by the policy
+	HowToSolve string `json:"how_to_solve"`
+	// Category specifies under which grouping this policy should be included
+	Category string `json:"category"`
+	// +optional
+	// Tags is a list of tags associated with that policy
+	Tags []string `json:"tags,omitempty"`
+	// +kubebuilder:validation:Enum=low;medium;high
+	// Severity is a measure of the impact of that policy, can be low, medium or high
+	Severity string `json:"severity"`
+	// +optional
+	// Standards is a list of policy standards that this policy falls under
+	Standards []PolicyStandard `json:"standards"`
+	//+optional
+	//+kubebuilder:default:=kubernetes
+	//+kubebuilder:validation:Enum=kubernetes;terraform
+	// Provider is policy provider, can be kubernetes, terraform
+	Provider string `json:"provider"`
+
+	//+optional
+	//+kubebuilder:default:=false
+	// Mutate is a flag that indicates whether to enable mutation of resources violating this policy or not
+	Mutate bool `json:"mutate"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:printcolumn:name="Severity",type=string,JSONPath=`.spec.severity`
+//+kubebuilder:printcolumn:name="Category",type=string,JSONPath=`.spec.category`
+//+kubebuilder:printcolumn:name="Provider",type=string,JSONPath=`.spec.provider`
+//+kubebuilder:resource:scope=Cluster
+//+kubebuilder:storageversion
+
+// Policy is the Schema for the policies API
+type Policy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              PolicySpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:storageversion
+
+// PolicyList contains a list of Policy
+type PolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Policy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(
+		&Policy{},
+		&PolicyList{},
+	)
+}
diff --git a/api/v2beta3/policyconfig_types.go b/api/v2beta3/policyconfig_types.go
@@ -0,0 +1,145 @@
+package v2beta3
+
+import (
+	"fmt"
+	"strings"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	PolicyConfigResourceName = "policyconfigs"
+	PolicyConfigKind         = "PolicyConfig"
+	PolicyConfigListKind     = "PolicyListConfig"
+)
+
+var (
+	PolicyConfigGroupVersionResource = GroupVersion.WithResource(PolicyConfigResourceName)
+)
+
+// PolicyConfigStatus will hold the policies ids that don't exist in the cluster
+type PolicyConfigStatus struct {
+	Status          string   `json:"status,omitempty"`
+	MissingPolicies []string `json:"missingPolicies,omitempty"`
+}
+type PolicyTargetApplication struct {
+	//+kubebuilder:validation:Enum=HelmRelease;Kustomization
+	Kind string `json:"kind"`
+	Name string `json:"name"`
+	//+optional
+	Namespace string `json:"namespace"`
+}
+
+func (at *PolicyTargetApplication) ID() string {
+	return fmt.Sprintf("%s/%s:%s", strings.ToLower(at.Kind), at.Name, at.Namespace)
+}
+
+type PolicyTargetResource struct {
+	Kind string `json:"kind"`
+	Name string `json:"name"`
+	// +optional
+	Namespace string `json:"namespace"`
+}
+
+func (rt *PolicyTargetResource) ID() string {
+	return fmt.Sprintf("%s/%s:%s", strings.ToLower(rt.Kind), rt.Name, rt.Namespace)
+}
+
+type PolicyConfigTarget struct {
+	//+optional
+	Workspaces []string `json:"workspaces,omitempty"`
+	//+optional
+	Namespaces []string `json:"namespaces,omitempty"`
+	//+optional
+	Applications []PolicyTargetApplication `json:"apps,omitempty"`
+	//+optional
+	Resources []PolicyTargetResource `json:"resources,omitempty"`
+}
+
+type PolicyConfigConfig struct {
+	Parameters map[string]apiextensionsv1.JSON `json:"parameters"`
+}
+
+type PolicyConfigSpec struct {
+	Config map[string]PolicyConfigConfig `json:"config"`
+	Match  PolicyConfigTarget            `json:"match"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.status`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// PolicyConfig is the Schema for the policyconfigs API
+type PolicyConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              PolicyConfigSpec   `json:"spec,omitempty"`
+	Status            PolicyConfigStatus `json:"status,omitempty"`
+}
+
+// SetPolicyConfigStatus sets policy config status
+func (c *PolicyConfig) SetPolicyConfigStatus(missingPolicies []string) {
+	if len(missingPolicies) > 0 {
+		c.Status.Status = "Warning"
+	} else {
+		c.Status.Status = "OK"
+	}
+	c.Status.MissingPolicies = missingPolicies
+}
+
+func (c *PolicyConfig) Validate() error {
+	var target string
+
+	if c.Spec.Match.Workspaces != nil {
+		target = "workspaces"
+	}
+
+	if c.Spec.Match.Namespaces != nil {
+		if target != "" {
+			return fmt.Errorf("cannot target %s and namespaces in same policy config", target)
+		}
+		target = "namespaces"
+	}
+
+	if c.Spec.Match.Applications != nil {
+		if target != "" {
+			return fmt.Errorf("cannot target %s and apps in same policy config", target)
+		}
+		target = "apps"
+	}
+
+	if c.Spec.Match.Resources != nil {
+		if target != "" {
+			return fmt.Errorf("cannot target %s and resources in same policy config", target)
+		}
+		target = "resources"
+	}
+
+	if target == "" {
+		return fmt.Errorf("policy config must target namespace, application or resource")
+	}
+
+	return nil
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:storageversion
+
+// PolicyConfigList contains a list of PolicyConfig
+type PolicyConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PolicyConfig `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(
+		&PolicyConfig{},
+		&PolicyConfigList{},
+	)
+}