mirror of
https://github.com/rancher/types.git
synced 2025-04-27 02:10:48 +00:00
cis: schedule, alerts, profiles
This commit is contained in:
Murali Paluru
parent
878bd5752e
commit
36ee6103df
@ -161,6 +161,7 @@ type ClusterAlertRuleSpec struct {
|
||||
EventRule *EventRule `json:"eventRule,omitempty"`
|
||||
SystemServiceRule *SystemServiceRule `json:"systemServiceRule,omitempty"`
|
||||
MetricRule *MetricRule `json:"metricRule,omitempty"`
|
||||
ClusterScanRule *ClusterScanRule `json:"clusterScanRule,omitempty"`
|
||||
}
|
||||
|
||||
type ProjectAlertRule struct {
|
||||
@ -199,6 +200,11 @@ type CommonRuleField struct {
|
||||
TimingField
|
||||
}
|
||||
|
||||
type ClusterScanRule struct {
|
||||
ScanRunType ClusterScanRunType `json:"scanRunType,omitempty" norman:"required,options=manual|scheduled,default=scheduled"`
|
||||
FailuresOnly bool `json:"failuresOnly,omitempty"`
|
||||
}
|
||||
|
||||
type MetricRule struct {
|
||||
Expression string `json:"expression,omitempty" norman:"required"`
|
||||
Description string `json:"description,omitempty"`
|
||||
|
||||
@ -9,11 +9,15 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
type ClusterScanRunType string
|
||||
type CisScanProfileType string
|
||||
|
||||
const (
|
||||
ClusterScanConditionCreated condition.Cond = typescond.Created
|
||||
ClusterScanConditionRunCompleted condition.Cond = typescond.RunCompleted
|
||||
ClusterScanConditionCompleted condition.Cond = typescond.Completed
|
||||
ClusterScanConditionFailed condition.Cond = typescond.Failed
|
||||
ClusterScanConditionAlerted condition.Cond = typescond.Alerted
|
||||
|
||||
ClusterScanTypeCis = "cis"
|
||||
DefaultNamespaceForCis = "security-scan"
|
||||
@ -23,6 +27,14 @@ const (
|
||||
RunCisScanAnnotation = "field.cattle.io/runCisScan"
|
||||
SonobuoyCompletionAnnotation = "field.cattle.io/sonobuoyDone"
|
||||
CisHelmChartOwner = "field.cattle.io/clusterScanOwner"
|
||||
|
||||
ClusterScanRunTypeManual ClusterScanRunType = "manual"
|
||||
ClusterScanRunTypeScheduled ClusterScanRunType = "scheduled"
|
||||
|
||||
CisScanProfileTypePermissive CisScanProfileType = "permissive"
|
||||
CisScanProfileTypeHardened CisScanProfileType = "hardened"
|
||||
|
||||
DefaultScanOutputFileName string = "output.json"
|
||||
)
|
||||
|
||||
type CisScanConfig struct {
|
||||
@ -30,12 +42,22 @@ type CisScanConfig struct {
|
||||
OverrideSkip []string `json:"overrideSkip"`
|
||||
// Override the CIS benchmark version to use for the scan (instead of latest)
|
||||
OverrideBenchmarkVersion string `json:"overrideBenchmarkVersion,omitempty"`
|
||||
// scan profile to use
|
||||
Profile CisScanProfileType `json:"profile,omitempty" norman:"required,options=permissive|hardened,default=permissive"`
|
||||
// Internal flag for debugging master component of the scan
|
||||
DebugMaster bool `json:"debugMaster"`
|
||||
// Internal flag for debugging worker component of the scan
|
||||
DebugWorker bool `json:"debugWorker"`
|
||||
}
|
||||
|
||||
type CisScanStatus struct {
|
||||
Total int `json:"total"`
|
||||
Pass int `json:"pass"`
|
||||
Fail int `json:"fail"`
|
||||
Skip int `json:"skip"`
|
||||
NotApplicable int `json:"notApplicable"`
|
||||
}
|
||||
|
||||
type ClusterScanConfig struct {
|
||||
CisScanConfig *CisScanConfig `json:"cisScanConfig"`
|
||||
}
|
||||
@ -59,14 +81,15 @@ type ClusterScanSpec struct {
|
||||
ScanType string `json:"scanType"`
|
||||
// cluster ID
|
||||
ClusterID string `json:"clusterId,omitempty" norman:"required,type=reference[cluster]"`
|
||||
// manual flag
|
||||
Manual bool `yaml:"manual" json:"manual,omitempty"`
|
||||
// Run type
|
||||
RunType ClusterScanRunType `json:"runType,omitempty"`
|
||||
// scanConfig
|
||||
ScanConfig ClusterScanConfig `yaml:",omitempty" json:"scanConfig,omitempty"`
|
||||
}
|
||||
|
||||
type ClusterScanStatus struct {
|
||||
Conditions []ClusterScanCondition `json:"conditions"`
|
||||
Conditions []ClusterScanCondition `json:"conditions"`
|
||||
CisScanStatus *CisScanStatus `json:"cisScanStatus"`
|
||||
}
|
||||
|
||||
type ClusterScan struct {
|
||||
@ -80,7 +103,10 @@ type ClusterScan struct {
|
||||
}
|
||||
|
||||
type CisBenchmarkVersionInfo struct {
|
||||
MinKubernetesVersion string `yaml:"min_kubernetes_version" json:"minKubernetesVersion"`
|
||||
Managed bool `yaml:"managed" json:"managed"`
|
||||
MinKubernetesVersion string `yaml:"min_kubernetes_version" json:"minKubernetesVersion"`
|
||||
SkippedChecks map[string]string `yaml:"skipped_checks" json:"skippedChecks"`
|
||||
NotApplicableChecks map[string]string `yaml:"not_applicable_checks" json:"notApplicableChecks"`
|
||||
}
|
||||
|
||||
type CisConfigParams struct {
|
||||
@ -104,3 +130,22 @@ type CisBenchmarkVersion struct {
|
||||
|
||||
Info CisBenchmarkVersionInfo `json:"info" yaml:"info"`
|
||||
}
|
||||
|
||||
type ScheduledClusterScanConfig struct {
|
||||
// Cron Expression for Schedule
|
||||
CronSchedule string `yaml:"cron_schedule" json:"cronSchedule,omitempty"`
|
||||
// Number of past scans to keep
|
||||
Retention int `yaml:"retention" json:"retention,omitempty"`
|
||||
}
|
||||
|
||||
type ScheduledClusterScan struct {
|
||||
// Enable or disable scheduled scans
|
||||
Enabled bool `yaml:"enabled" json:"enabled,omitempty" norman:"default=false"`
|
||||
ScheduleConfig *ScheduledClusterScanConfig `yaml:"schedule_config" json:"scheduleConfig,omitempty"`
|
||||
ScanConfig *ClusterScanConfig `yaml:"scan_config,omitempty" json:"scanConfig,omitempty"`
|
||||
}
|
||||
|
||||
type ScheduledClusterScanStatus struct {
|
||||
Enabled bool `yaml:"enabled" json:"enabled,omitempty"`
|
||||
LastRunTimestamp string `yaml:"last_run_timestamp" json:"lastRunTimestamp"`
|
||||
}
|
||||
|
||||
@ -103,6 +103,7 @@ type ClusterSpecBase struct {
|
||||
EnableClusterMonitoring bool `json:"enableClusterMonitoring" norman:"default=false"`
|
||||
WindowsPreferedCluster bool `json:"windowsPreferedCluster" norman:"noupdate"`
|
||||
LocalClusterAuthEndpoint LocalClusterAuthEndpoint `json:"localClusterAuthEndpoint,omitempty"`
|
||||
ScheduledClusterScan *ScheduledClusterScan `json:"scheduledClusterScan,omitempty"`
|
||||
}
|
||||
|
||||
type ClusterSpec struct {
|
||||
@ -131,27 +132,28 @@ type ClusterStatus struct {
|
||||
Conditions []ClusterCondition `json:"conditions,omitempty"`
|
||||
// Component statuses will represent cluster's components (etcd/controller/scheduler) health
|
||||
// https://kubernetes.io/docs/api-reference/v1.8/#componentstatus-v1-core
|
||||
Driver string `json:"driver"`
|
||||
AgentImage string `json:"agentImage"`
|
||||
AgentFeatures map[string]bool `json:"agentFeatures,omitempty"`
|
||||
AuthImage string `json:"authImage"`
|
||||
ComponentStatuses []ClusterComponentStatus `json:"componentStatuses,omitempty"`
|
||||
APIEndpoint string `json:"apiEndpoint,omitempty"`
|
||||
ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
|
||||
CACert string `json:"caCert,omitempty"`
|
||||
Capacity v1.ResourceList `json:"capacity,omitempty"`
|
||||
Allocatable v1.ResourceList `json:"allocatable,omitempty"`
|
||||
AppliedSpec ClusterSpec `json:"appliedSpec,omitempty"`
|
||||
FailedSpec *ClusterSpec `json:"failedSpec,omitempty"`
|
||||
Requested v1.ResourceList `json:"requested,omitempty"`
|
||||
Limits v1.ResourceList `json:"limits,omitempty"`
|
||||
Version *version.Info `json:"version,omitempty"`
|
||||
AppliedPodSecurityPolicyTemplateName string `json:"appliedPodSecurityPolicyTemplateId"`
|
||||
AppliedEnableNetworkPolicy bool `json:"appliedEnableNetworkPolicy" norman:"nocreate,noupdate,default=false"`
|
||||
Capabilities Capabilities `json:"capabilities,omitempty"`
|
||||
MonitoringStatus *MonitoringStatus `json:"monitoringStatus,omitempty" norman:"nocreate,noupdate"`
|
||||
IstioEnabled bool `json:"istioEnabled,omitempty" norman:"nocreate,noupdate,default=false"`
|
||||
CertificatesExpiration map[string]CertExpiration `json:"certificatesExpiration,omitempty"`
|
||||
Driver string `json:"driver"`
|
||||
AgentImage string `json:"agentImage"`
|
||||
AgentFeatures map[string]bool `json:"agentFeatures,omitempty"`
|
||||
AuthImage string `json:"authImage"`
|
||||
ComponentStatuses []ClusterComponentStatus `json:"componentStatuses,omitempty"`
|
||||
APIEndpoint string `json:"apiEndpoint,omitempty"`
|
||||
ServiceAccountToken string `json:"serviceAccountToken,omitempty"`
|
||||
CACert string `json:"caCert,omitempty"`
|
||||
Capacity v1.ResourceList `json:"capacity,omitempty"`
|
||||
Allocatable v1.ResourceList `json:"allocatable,omitempty"`
|
||||
AppliedSpec ClusterSpec `json:"appliedSpec,omitempty"`
|
||||
FailedSpec *ClusterSpec `json:"failedSpec,omitempty"`
|
||||
Requested v1.ResourceList `json:"requested,omitempty"`
|
||||
Limits v1.ResourceList `json:"limits,omitempty"`
|
||||
Version *version.Info `json:"version,omitempty"`
|
||||
AppliedPodSecurityPolicyTemplateName string `json:"appliedPodSecurityPolicyTemplateId"`
|
||||
AppliedEnableNetworkPolicy bool `json:"appliedEnableNetworkPolicy" norman:"nocreate,noupdate,default=false"`
|
||||
Capabilities Capabilities `json:"capabilities,omitempty"`
|
||||
MonitoringStatus *MonitoringStatus `json:"monitoringStatus,omitempty" norman:"nocreate,noupdate"`
|
||||
IstioEnabled bool `json:"istioEnabled,omitempty" norman:"nocreate,noupdate,default=false"`
|
||||
CertificatesExpiration map[string]CertExpiration `json:"certificatesExpiration,omitempty"`
|
||||
ScheduledClusterScanStatus *ScheduledClusterScanStatus `json:"scheduledClusterScanStatus,omitempty"`
|
||||
}
|
||||
|
||||
type ClusterComponentStatus struct {
|
||||
|
||||
@ -18,4 +18,9 @@ const (
|
||||
// error type
|
||||
|
||||
Failed cond.Cond = "Failed"
|
||||
|
||||
// generic type
|
||||
// these will not trigger any state change on the object
|
||||
|
||||
Alerted cond.Cond = "Alerted"
|
||||
)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user