forked from GoogleCloudPlatform/csp-config-management
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfigmanagement_v1_configmanagement.yaml
194 lines (194 loc) · 12.5 KB
/
configmanagement_v1_configmanagement.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: configmanagements.configmanagement.gke.io
spec:
group: configmanagement.gke.io
names:
kind: ConfigManagement
listKind: ConfigManagementList
plural: configmanagements
singular: configmanagement
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ConfigManagement is the Schema for the ConfigManagement API.
type: object
required:
- metadata
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigManagementSpec defines the desired state of ConfigManagement.
type: object
properties:
binauthz:
description: BinAuthz enables Binary Authorization as recognized by the "binauthz.configmanagement.gke.io" label set to "true".
type: object
properties:
enabled:
description: 'Enable or disable BinAuthz. Default: false.'
type: boolean
policyRef:
description: PolicyRef is a reference to the BinAuthz policy which will be evaluated. Required if BinAuthz is enabled.
type: object
properties:
gkeCluster:
description: BinAuthz policy associated with this GKE-on-GCP cluster.
type: object
properties:
location:
description: Location of this cluster
type: string
name:
description: The name of this cluster according to GKE. This is not necessarily the same as the hub membership name.
type: string
project:
description: The name of the GCP project containing this cluster
type: string
channel:
description: 'Channel specifies a channel that can be used to resolve a specific addon, eg: stable It will be ignored if Version is specified'
type: string
clusterName:
description: ClusterName, if defined, sets the name for this cluster. If unset, the cluster is considered to be unnamed, and cannot use ClusterSelectors.
type: string
configConnector:
description: 'Deprecated: Does nothing. ConfigConnector can no longer be enabled/disabled with the ConfigManagement resource; the software is available as a standalone: https://cloud.google.com/config-connector'
type: object
properties:
enabled:
description: 'Enable or disable the Config Connector. Default: false.'
type: boolean
enableLegacyFields:
description: EnableLegacyFields instructs the operator to use spec.git for generating a RootSync resource in MultiRepo mode. Note that this should only be set to true if spec.enableMultiRepo is set to true.
type: boolean
enableMultiRepo:
description: EnableMultiRepo instructs the operator to enable Multi Repo mode for Config Sync.
type: boolean
git:
description: Git contains configuration specific to importing policies from a Git repo.
type: object
properties:
gcpServiceAccountEmail:
description: 'GCPServiceAccountEmail specifies the GCP service account used to annotate the Config Sync Kubernetes Service Account. Note: The field is used when secretType: gcpServiceAccount.'
type: string
policyDir:
description: 'PolicyDir is the absolute path of the directory that contains the local policy. Default: the root directory of the repo.'
type: string
proxy:
description: Proxy is a struct that contains options for configuring access to the Git repo via a proxy. Only has an effect when secretType is one of ("cookiefile", "none"). Optional.
type: object
properties:
httpProxy:
description: HTTPProxy defines a HTTP_PROXY env variable used to access the Git repo. If both HTTPProxy and HTTPSProxy are specified, HTTPProxy will be ignored. Optional.
type: string
httpsProxy:
description: HTTPSProxy defines a HTTPS_PROXY env variable used to access the Git repo. If both HTTPProxy and HTTPSProxy are specified, HTTPProxy will be ignored. Optional.
type: string
secretType:
description: SecretType is the type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. Required. The validation of this is case-sensitive.
type: string
pattern: ^(ssh|cookiefile|gcenode|gcpserviceaccount|token|none)$
syncBranch:
description: 'SyncBranch is the branch to sync from. Default: "master".'
type: string
syncRepo:
type: string
pattern: ^(((https?|git|ssh):\/\/)|git@)
syncRev:
description: 'SyncRev is the git revision (tag or hash) to check out. Default: HEAD.'
type: string
syncWait:
description: 'SyncWaitSeconds is the time duration in seconds between consecutive syncs. Default: 15 seconds. Note that SyncWaitSecs is not a time.Duration on purpose. This provides a reminder to developers that customers specify this value using using integers like "3" in their ConfigManagement YAML. However, time.Duration is at a nanosecond granularity, and it''s easy to introduce a bug where it looks like the code is dealing with seconds but its actually nanoseconds (or vice versa).'
type: integer
hierarchyController:
description: Hierarchy Controller enables HierarchyController components as recognized by the "hierarchycontroller.configmanagement.gke.io" label set to "true".
type: object
properties:
enableHierarchicalResourceQuota:
description: 'HierarchicalResourceQuota enforces resource quota in a hierarchical fashion: a resource quota set for one namespace provides constraints that limit aggregate resource consumption for that namespace and all its descendants. Disabling this will not delete user created hrq CRs, but will delete all the intermediate resources created by HRQ (specifically the resource quota singletons), which are labeled with hierarchycontroller.configmanagement.gke.io/hrq for easier cleanup.'
type: boolean
enablePodTreeLabels:
description: PodTreeLabels copies the tree labels from namespaces to pods, allowing any system that uses pod logs (such as Stackdriver logging) to inspect the hierarchy.
type: boolean
enabled:
description: 'Enable or disable the Hierarchy Controller. Default: false.'
type: boolean
policyController:
description: Policy Controller enables PolicyController components as recognized by the "gatekeeper.sh/manifest" label set to "true".
type: object
properties:
auditIntervalSeconds:
description: AuditIntervalSeconds. The number of seconds between audit runs. Defaults to 60 seconds. To disable audit, set this to 0.
type: integer
format: int64
enabled:
description: 'Enable or disable the Policy Controller. Default: false.'
type: boolean
exemptableNamespaces:
description: ExemptableNamespaces. The namespaces in this list are able to have the admission.gatekeeper.sh/ignore label set. When the label is set, Policy Controller will not be called for that namespace or any resources contained in it. `gatekeeper-system` is always exempted.
type: array
items:
type: string
logDeniesEnabled:
description: 'LogDeniesEnabled. If true, Policy Controller will log all denies and dryrun failures. No effect unless policyController is enabled. Default: false.'
type: boolean
mutation:
description: Mutation specifies the configuration of mutation. This is a preview feature and may change before becoming generally available.
type: object
properties:
enabled:
description: 'Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller will be deployed to the cluster. Default: false.'
type: boolean
referentialRulesEnabled:
description: 'ReferentialRulesEnabled. If true, Policy Controller will allow `data.inventory` references in the contents of ConstraintTemplate Rego. No effect unless policyController is enabled. Default: false.'
type: boolean
templateLibraryInstalled:
description: 'TemplateLibraryInstalled. If true, a set of default ConstraintTemplates will be deployed to the cluster. ConstraintTemplates will not be deployed if this is explicitly set to false or if policyController is not enabled. Default: true.'
type: boolean
sourceFormat:
description: "SourceFormat specifies how the repository is formatted. See documentation for specifics of what these options do. \n Must be one of hierarchy, unstructured. Optional. Set to hierarchy if not specified. \n The validation of this is case-sensitive."
type: string
pattern: ^(hierarchy|unstructured|)$
version:
description: Version specifies the exact addon version to be deployed, eg 1.2.3 It should not be specified if Channel is specified
type: string
x-kubernetes-preserve-unknown-fields: true
status:
description: ConfigManagementStatus defines the observed state of ConfigManagement.
type: object
required:
- healthy
properties:
configManagementVersion:
description: ConfigManagementVersion is the semantic version number of the config management system enforced by the currently running config management operator.
type: string
errors:
type: array
items:
type: string
healthy:
type: boolean
phase:
type: string
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []