Documentation
¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the validation v1alpha1 API group +kubebuilder:object:generate=true +groupName=validation.spectrocloud.labs
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "validation.spectrocloud.labs", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type ActionStr ¶
type ActionStr string
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable kubebuilder max string length validation for arrays of these. +kubebuilder:validation:MaxLength=200
type AzureAuth ¶
type AzureAuth struct {
// If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
// Set to true if using WorkloadIdentityCredentials.
Implicit bool `json:"implicit" yaml:"implicit"`
// Name of a Secret in the same namespace as the AzureValidator that contains Azure credentials.
// The secret data's keys and values are expected to align with valid Azure environment variable credentials,
// per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
}
AzureAuth defines authentication configuration for an AzureValidator.
func (*AzureAuth) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureAuth.
func (*AzureAuth) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AzureValidator ¶
type AzureValidator struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec AzureValidatorSpec `json:"spec,omitempty"`
Status AzureValidatorStatus `json:"status,omitempty"`
}
AzureValidator is the Schema for the azurevalidators API
func (*AzureValidator) DeepCopy ¶
func (in *AzureValidator) DeepCopy() *AzureValidator
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidator.
func (*AzureValidator) DeepCopyInto ¶
func (in *AzureValidator) DeepCopyInto(out *AzureValidator)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidator) DeepCopyObject ¶
func (in *AzureValidator) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (AzureValidator) PluginCode ¶ added in v0.0.15
func (v AzureValidator) PluginCode() string
PluginCode returns the Azure validator's plugin code.
func (AzureValidator) ResultCount ¶ added in v0.0.15
func (v AzureValidator) ResultCount() int
ResultCount returns the number of validation results expected for an AzureValidator.
type AzureValidatorList ¶
type AzureValidatorList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AzureValidator `json:"items"`
}
AzureValidatorList contains a list of AzureValidator
func (*AzureValidatorList) DeepCopy ¶
func (in *AzureValidatorList) DeepCopy() *AzureValidatorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorList.
func (*AzureValidatorList) DeepCopyInto ¶
func (in *AzureValidatorList) DeepCopyInto(out *AzureValidatorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AzureValidatorList) DeepCopyObject ¶
func (in *AzureValidatorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AzureValidatorSpec ¶
type AzureValidatorSpec struct {
// Rules for validating that the correct role assignments have been created in Azure RBAC to
// provide needed permissions.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="RBACRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
RBACRules []RBACRule `json:"rbacRules,omitempty" yaml:"rbacRules,omitempty"`
// Rules for validating that images exist in an Azure Compute Gallery published as a community
// gallery.
CommunityGalleryImageRules []CommunityGalleryImageRule `json:"communityGalleryImageRules,omitempty" yaml:"communityGalleryImageRules,omitempty"`
Auth AzureAuth `json:"auth" yaml:"auth"`
}
AzureValidatorSpec defines the desired state of AzureValidator
func (*AzureValidatorSpec) DeepCopy ¶
func (in *AzureValidatorSpec) DeepCopy() *AzureValidatorSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorSpec.
func (*AzureValidatorSpec) DeepCopyInto ¶
func (in *AzureValidatorSpec) DeepCopyInto(out *AzureValidatorSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (AzureValidatorSpec) PluginCode ¶ added in v0.0.15
func (s AzureValidatorSpec) PluginCode() string
PluginCode returns the Azure validator's plugin code.
func (AzureValidatorSpec) ResultCount ¶
func (s AzureValidatorSpec) ResultCount() int
ResultCount returns the number of validation results expected for an AzureValidatorSpec.
type AzureValidatorStatus ¶
type AzureValidatorStatus struct{}
AzureValidatorStatus defines the observed state of AzureValidator
func (*AzureValidatorStatus) DeepCopy ¶
func (in *AzureValidatorStatus) DeepCopy() *AzureValidatorStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureValidatorStatus.
func (*AzureValidatorStatus) DeepCopyInto ¶
func (in *AzureValidatorStatus) DeepCopyInto(out *AzureValidatorStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CommunityGallery ¶ added in v0.0.12
type CommunityGallery struct {
// Location is the location of the community gallery (e.g. "westus").
Location string `json:"location" yaml:"location"`
// Name is the name of the community gallery.
Name string `json:"name" yaml:"name"`
}
CommunityGallery is a community gallery in a particular location.
func (*CommunityGallery) DeepCopy ¶ added in v0.0.12
func (in *CommunityGallery) DeepCopy() *CommunityGallery
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommunityGallery.
func (*CommunityGallery) DeepCopyInto ¶ added in v0.0.12
func (in *CommunityGallery) DeepCopyInto(out *CommunityGallery)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CommunityGalleryImageRule ¶ added in v0.0.12
type CommunityGalleryImageRule struct {
// Name is a unique identifier for the rule in the validator. Used to ensure conditions do not
// overwrite each other.
// +kubebuilder:validation:MaxLength=200
Name string `json:"name" yaml:"name"`
// Gallery is the community gallery.
Gallery CommunityGallery `json:"gallery" yaml:"gallery"`
// Images is a list of image names.
//+kubebuilder:validation:MinItems=1
//+kubebuilder:validation:MaxItems=1000
Images []string `json:"images" yaml:"images"`
// SubscriptionID is the ID of the subscription.
SubscriptionID string `json:"subscriptionID" yaml:"subscriptionID"`
}
CommunityGalleryImageRule verifies that one or more images in a community gallery exist and are accessible by a particular subscription.
func (*CommunityGalleryImageRule) DeepCopy ¶ added in v0.0.12
func (in *CommunityGalleryImageRule) DeepCopy() *CommunityGalleryImageRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommunityGalleryImageRule.
func (*CommunityGalleryImageRule) DeepCopyInto ¶ added in v0.0.12
func (in *CommunityGalleryImageRule) DeepCopyInto(out *CommunityGalleryImageRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PermissionSet ¶
type PermissionSet struct {
// Actions is a list of actions that the role must be able to perform. Must not contain any
// wildcards. If not specified, the role is assumed to already be able to perform all required
// actions.
//+kubebuilder:validation:MaxItems=1000
//+kubebuilder:validation:XValidation:message="Actions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
Actions []ActionStr `json:"actions,omitempty" yaml:"actions,omitempty"`
// DataActions is a list of data actions that the role must be able to perform. Must not
// contain any wildcards. If not provided, the role is assumed to already be able to perform
// all required data actions.
//+kubebuilder:validation:MaxItems=1000
//+kubebuilder:validation:XValidation:message="DataActions cannot have wildcards.",rule="self.all(item, !item.contains('*'))"
DataActions []ActionStr `json:"dataActions,omitempty" yaml:"dataActions,omitempty"`
// Scope is the minimum scope of the role. Role assignments found at higher level scopes will
// satisfy this. For example, a role assignment found with subscription scope will satisfy a
// permission set where the role scope specified is a resource group within that subscription.
Scope string `json:"scope" yaml:"scope"`
}
PermissionSet is part of an RBAC rule and verifies that a security principal has the specified permissions (via role assignments) at the specified scope. Scope can be either subscription, resource group, or resource.
func (*PermissionSet) DeepCopy ¶
func (in *PermissionSet) DeepCopy() *PermissionSet
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionSet.
func (*PermissionSet) DeepCopyInto ¶
func (in *PermissionSet) DeepCopyInto(out *PermissionSet)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RBACRule ¶
type RBACRule struct {
// Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
// each other.
Name string `json:"name" yaml:"name"`
// The permissions that the principal must have. If the principal has permissions less than
// this, validation will fail. If the principal has permissions equal to or more than this
// (e.g., inherited permissions from higher level scope, more roles than needed) validation
// will pass.
//+kubebuilder:validation:MinItems=1
//+kubebuilder:validation:MaxItems=20
//+kubebuilder:validation:XValidation:message="Each permission set must have Actions, DataActions, or both defined",rule="self.all(item, size(item.actions) > 0 || size(item.dataActions) > 0)"
Permissions []PermissionSet `json:"permissionSets" yaml:"permissionSets"`
// The principal being validated. This can be any type of principal - Device, ForeignGroup,
// Group, ServicePrincipal, or User. If using a service principal, this is the "application
// object ID". In the Azure portal, this can be found by navigating to Entra ID, selecting the
// application registration of the service principal, navigating from that page to the managed
// application page, and copying the "object ID". This ID is different from the tenant ID,
// client ID, and object ID of the application registration.
PrincipalID string `json:"principalId" yaml:"principalId"`
}
RBACRule verifies that a security principal has permissions via role assignments and that no deny assignments deny the permissions.
func (*RBACRule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBACRule.
func (*RBACRule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files