forked from openshift/compliance-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
compliance.openshift.io_compliancescans.yaml
388 lines (388 loc) · 20.2 KB
/
compliance.openshift.io_compliancescans.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.1
name: compliancescans.compliance.openshift.io
spec:
group: compliance.openshift.io
names:
kind: ComplianceScan
listKind: ComplianceScanList
plural: compliancescans
shortNames:
- scans
- scan
singular: compliancescan
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.phase
name: Phase
type: string
- jsonPath: .status.result
name: Result
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: ComplianceScan represents a scan with a certain configuration
that will be applied to objects of a certain entity in the host. These could
be nodes that apply to a certain nodeSelector, or the cluster itself.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: The spec is the configuration for the compliance scan.
properties:
content:
description: Is the path to the file that contains the content (the
data stream). Note that the path needs to be relative to the `/`
(root) directory, as it is in the ContentImage
type: string
contentImage:
description: Is the image with the content (Data Stream), that will
be used to run OpenSCAP.
type: string
debug:
description: Enable debug logging of workloads and OpenSCAP
type: boolean
httpsProxy:
description: It is recommended to set the proxy via the config.openshift.io/Proxy
object Defines a proxy for the scan to get external resources from.
This is useful for disconnected installations with access to a proxy.
type: string
maxRetryOnTimeout:
default: 3
description: MaxRetryOnTimeout is the maximum number of times the
scan will be retried if it times out.
type: integer
noExternalResources:
description: Defines that no external resources in the Data Stream
should be used. External resources could be, for instance, CVE feeds.
This is useful for disconnected installations without access to
a proxy.
type: boolean
nodeSelector:
additionalProperties:
type: string
description: By setting this, it's possible to only run the scan on
certain nodes in the cluster. Note that when applying remediations
generated from the scan, this should match the selector of the MachineConfigPool
you want to apply the remediations to.
type: object
priorityClass:
description: Defines the PriorityClass to use for launching scan related
pods, the Name of a desired PriorityClass should be set here, this
is an optional field, if PriorityClass is invalid or not found,
it will be ignored.
type: string
profile:
description: Is the profile in the data stream to be used. This is
the collection of rules that will be checked for.
type: string
rawResultStorage:
description: Specifies settings that pertain to raw result storage.
properties:
nodeSelector:
additionalProperties:
type: string
description: By setting this, it's possible to configure where
the result server instances are run. These instances will mount
a Persistent Volume to store the raw results, so special care
should be taken to schedule these in trusted nodes.
type: object
pvAccessModes:
default:
- ReadWriteOnce
description: Specifies the access modes that the PersistentVolume
will be created with. The persistent volume will hold the raw
results of the scan.
items:
type: string
type: array
rotation:
default: 3
description: Specifies the amount of scans for which the raw results
will be stored. Older results will get rotated, and it's the
responsibility of administrators to store these results elsewhere
before rotation happens. Note that a rotation policy of '0'
disables rotation entirely. Defaults to 3.
type: integer
size:
default: 1Gi
description: Specifies the amount of storage to ask for storing
the raw results. Note that if re-scans happen, the new results
will also need to be stored. Defaults to 1Gi.
type: string
storageClassName:
description: Specifies the StorageClassName to use when creating
the PersistentVolumeClaim to hold the raw results. By default
this is null, which will attempt to use the default storage
class configured in the cluster. If there is no default class
specified then this needs to be set.
nullable: true
type: string
tolerations:
description: Specifies tolerations needed for the result server
to run on the nodes. This is useful in case the target set of
nodes have custom taints that don't allow certain workloads
to run. Defaults to allowing scheduling on master nodes.
items:
description: The pod this Toleration is attached to tolerates
any taint that matches the triple <key,value,effect> using
the matching operator <operator>.
properties:
effect:
description: Effect indicates the taint effect to match.
Empty means match all taint effects. When specified, allowed
values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match
all values and all keys.
type: string
operator:
description: Operator represents a key's relationship to
the value. Valid operators are Exists and Equal. Defaults
to Equal. Exists is equivalent to wildcard for value,
so that a pod can tolerate all taints of a particular
category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of
time the toleration (which must be of effect NoExecute,
otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint
forever (do not evict). Zero and negative values will
be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
type: object
type: array
type: object
remediationEnforcement:
description: 'Specifies what to do with remediations of Enforcement
type. If left empty, this defaults to "off" which doesn''t create
nor apply any enforcement remediations. If set to "all" this creates
any enforcement remediations it encounters. Subsequently, this can
also be set to a specific type. e.g. setting it to "gatekeeper"
will apply any enforcement remediations relevant to the Gatekeeper
OPA system. These objects will annotated in the content itself with:
complianceascode.io/enforcement-type: <type>'
type: string
rule:
description: A Rule can be specified if the scan should check only
for a specific rule. Note that when leaving this empty, the scan
will check for all the rules for a specific profile.
type: string
scanLimits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: ScanLimits allows to set the resource limits that the
scan pods are allowed to use. By default, compliance operator will
use sensible defaults (500Mi memory, 100m CPU for the scanner container
and 200Mi memory with 100m CPU for the api-resource-collector container).
type: object
scanTolerations:
default:
- operator: Exists
description: Specifies tolerations needed for the scan to run on the
nodes. This is useful in case the target set of nodes have custom
taints that don't allow certain workloads to run. Defaults to allowing
scheduling on all nodes.
items:
description: The pod this Toleration is attached to tolerates any
taint that matches the triple <key,value,effect> using the matching
operator <operator>.
properties:
effect:
description: Effect indicates the taint effect to match. Empty
means match all taint effects. When specified, allowed values
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty,
operator must be Exists; this combination means to match all
values and all keys.
type: string
operator:
description: Operator represents a key's relationship to the
value. Valid operators are Exists and Equal. Defaults to Equal.
Exists is equivalent to wildcard for value, so that a pod
can tolerate all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time
the toleration (which must be of effect NoExecute, otherwise
this field is ignored) tolerates the taint. By default, it
is not set, which means tolerate the taint forever (do not
evict). Zero and negative values will be treated as 0 (evict
immediately) by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches
to. If the operator is Exists, the value should be empty,
otherwise just a regular string.
type: string
type: object
type: array
scanType:
default: Node
description: The type of Compliance scan.
type: string
showNotApplicable:
default: false
description: Determines whether to hide or show results that are not
applicable.
type: boolean
strictNodeScan:
default: true
description: Defines whether the scan should proceed if we're not
able to scan all the nodes or not. `true` means that the operator
should be strict and error out. `false` means that we don't need
to be strict and we can proceed.
type: boolean
tailoringConfigMap:
description: Is a reference to a ConfigMap that contains the tailoring
file. It assumes a key called `tailoring.xml` which will have the
tailoring contents.
properties:
name:
description: Name of the ConfigMap being referenced
type: string
required:
- name
type: object
timeout:
default: 30m
description: Timeout is the maximum amount of time the scan can run.
If the scan hasn't finished by then, it will be aborted.
type: string
type: object
status:
description: The status will give valuable information on what's going
on with the scan; and, more importantly, if the scan is successful (compliant)
or not (non-compliant)
properties:
conditions:
description: Conditions is a set of Condition instances.
items:
description: "Condition represents an observation of an object's
state. Conditions are an extension mechanism intended to be used
when the details of an observation are not a priori known or would
not apply to all instances of a given Kind. \n Conditions should
be added to explicitly convey properties that users and components
care about rather than requiring those properties to be inferred
from other observations. Once defined, the meaning of a Condition
can not be changed arbitrarily - it becomes part of the API, and
has the same backwards- and forwards-compatibility concerns of
any other part of the API."
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
description: ConditionReason is intended to be a one-word, CamelCase
representation of the category of cause of the current status.
It is intended to be used in concise output, such as one-line
kubectl get output, and in summarizing occurrences of causes.
type: string
status:
type: string
type:
description: "ConditionType is the type of the condition and
is typically a CamelCased word or short phrase. \n Condition
types should indicate state in the \"abnormal-true\" polarity.
For example, if the condition indicates when a policy is invalid,
the \"is valid\" case is probably the norm, so the condition
should be called \"Invalid\"."
type: string
required:
- status
- type
type: object
type: array
currentIndex:
description: Specifies the current index of the scan. Given multiple
scans, this marks the amount that have been executed.
format: int64
type: integer
endTimestamp:
description: Is the time when the scan was finished
format: date-time
type: string
errormsg:
description: If there are issues on the scan, this will be filled
up with an error message.
type: string
phase:
description: Is the phase where the scan is at. Normally, one must
wait for the scan to reach the phase DONE.
type: string
remainingRetries:
description: Is the number of retries left for the scan on timeout
type: integer
result:
description: Once the scan reaches the phase DONE, this will contain
the result of the scan. Where COMPLIANT means that the scan succeeded;
NON-COMPLIANT means that there were rule violations; and ERROR means
that the scan couldn't complete due to an issue.
type: string
resultsStorage:
description: Specifies the object that's storing the raw results for
the scan.
properties:
apiVersion:
description: API version of the referent.
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
startTimestamp:
description: Is the time when the scan was started
format: date-time
type: string
warnings:
description: If there are warnings on the scan, this will be filled
up with warning messages.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}