Add fields to the Policy CRD for policy ordering

Refs: - open-cluster-management-io/enhancements#74 Signed-off-by: Justin Kulikauskas <[email protected]>
open-cluster-management-io · Oct 14, 2022 · d078c8d · d078c8d
1 parent aec17c2
commit d078c8d
Show file tree

Hide file tree

Showing 4 changed files with 175 additions and 7 deletions.
diff --git a/api/v1/policy_types.go b/api/v1/policy_types.go
@@ -24,25 +24,58 @@ const (
 // PolicyTemplate template for custom security policy
 type PolicyTemplate struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
+	// A Kubernetes object defining the policy to apply to a managed cluster
 	ObjectDefinition runtime.RawExtension `json:"objectDefinition"`
+
+	// Additional PolicyDependencies that only apply to this template
+	ExtraDependencies []PolicyDependency `json:"extraDependencies,omitempty"`
+
+	// Ignore this template's Pending status when calculating the overall Policy status
+	IgnorePending bool `json:"ignorePending,omitempty"`
 }
 
 // ComplianceState shows the state of enforcement
 type ComplianceState string
 
 const (
-	// Compliant is an ComplianceState
+	// Compliant is a ComplianceState
 	Compliant ComplianceState = "Compliant"
 
-	// NonCompliant is an ComplianceState
+	// NonCompliant is a ComplianceState
 	NonCompliant ComplianceState = "NonCompliant"
+
+	// Pending is a ComplianceState
+	Pending ComplianceState = "Pending"
 )
 
+// Each PolicyDepenency defines an object reference which must be in a certain compliance
+// state before the policy should be created.
+type PolicyDependency struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// The name of the object to be checked
+	Name string `json:"name"`
+
+	// The namespace of the object to be checked (optional)
+	Namespace string `json:"namespace,omitempty"`
+
+	// The ComplianceState (at path .status.compliant) required before the policy should be created
+	Compliance string `json:"compliance"`
+}
+
 // PolicySpec defines the desired state of Policy
 type PolicySpec struct {
-	Disabled          bool              `json:"disabled"`
-	RemediationAction RemediationAction `json:"remediationAction,omitempty"` // Enforce, Inform
-	PolicyTemplates   []*PolicyTemplate `json:"policy-templates"`
+	// This provides the ability to enable and disable your policies.
+	Disabled bool `json:"disabled"`
+
+	// This value (Enforce or Inform) will override the remediationAction on each template
+	RemediationAction RemediationAction `json:"remediationAction,omitempty"`
+
+	// Used to create one or more policies to apply to a managed cluster
+	PolicyTemplates []*PolicyTemplate `json:"policy-templates"`
+
+	// PolicyDependencies that apply to each template in this Policy
+	Dependencies []PolicyDependency `json:"dependencies,omitempty"`
 }
 
 // PlacementDecision defines the decision made by controller

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/deploy/crds/policy.open-cluster-management.io_policies.yaml b/deploy/crds/policy.open-cluster-management.io_policies.yaml
@@ -48,21 +48,103 @@ spec:
           spec:
             description: PolicySpec defines the desired state of Policy
             properties:
+              dependencies:
+                description: PolicyDependencies that apply to each template in this
+                  Policy
+                items:
+                  description: Each PolicyDepenency defines an object reference which
+                    must be in a certain compliance state before the policy should
+                    be created.
+                  properties:
+                    apiVersion:
+                      description: 'APIVersion defines the versioned schema of this
+                        representation of an object. Servers should convert recognized
+                        schemas to the latest internal value, and may reject unrecognized
+                        values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                      type: string
+                    compliance:
+                      description: The ComplianceState (at path .status.compliant)
+                        required before the policy should be created
+                      type: string
+                    kind:
+                      description: 'Kind is a string value representing the REST resource
+                        this object represents. Servers may infer this from the endpoint
+                        the client submits requests to. Cannot be updated. In CamelCase.
+                        More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                      type: string
+                    name:
+                      description: The name of the object to be checked
+                      type: string
+                    namespace:
+                      description: The namespace of the object to be checked (optional)
+                      type: string
+                  required:
+                  - compliance
+                  - name
+                  type: object
+                type: array
               disabled:
+                description: This provides the ability to enable and disable your
+                  policies.
                 type: boolean
               policy-templates:
+                description: Used to create one or more policies to apply to a managed
+                  cluster
                 items:
                   description: PolicyTemplate template for custom security policy
                   properties:
+                    extraDependencies:
+                      description: Additional PolicyDependencies that only apply to
+                        this template
+                      items:
+                        description: Each PolicyDepenency defines an object reference
+                          which must be in a certain compliance state before the policy
+                          should be created.
+                        properties:
+                          apiVersion:
+                            description: 'APIVersion defines the versioned schema
+                              of this representation of an object. Servers should
+                              convert recognized schemas to the latest internal value,
+                              and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+                            type: string
+                          compliance:
+                            description: The ComplianceState (at path .status.compliant)
+                              required before the policy should be created
+                            type: string
+                          kind:
+                            description: 'Kind is a string value representing the
+                              REST resource this object represents. Servers may infer
+                              this from the endpoint the client submits requests to.
+                              Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                            type: string
+                          name:
+                            description: The name of the object to be checked
+                            type: string
+                          namespace:
+                            description: The namespace of the object to be checked
+                              (optional)
+                            type: string
+                        required:
+                        - compliance
+                        - name
+                        type: object
+                      type: array
+                    ignorePending:
+                      description: Ignore this template's Pending status when calculating
+                        the overall Policy status
+                      type: boolean
                     objectDefinition:
+                      description: A Kubernetes object defining the policy to apply
+                        to a managed cluster
                       type: object
                       x-kubernetes-preserve-unknown-fields: true
                   required:
                   - objectDefinition
                   type: object
                 type: array
               remediationAction:
-                description: RemediationAction describes weather to enforce or inform
+                description: This value (Enforce or Inform) will override the remediationAction
+                  on each template
                 enum:
                 - Inform
                 - inform