OCPNODE-3008: Add v1 type ClusterImagePolicy and ImagePolicy #2310
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,87 @@ | ||||||||
| package v1 | ||||||||
|
|
||||||||
| import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||||
|
|
||||||||
| // +genclient | ||||||||
| // +genclient:nonNamespaced | ||||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||||||||
|
|
||||||||
| // ClusterImagePolicy holds cluster-wide configuration for image signature verification | ||||||||
| // | ||||||||
| // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). | ||||||||
| // +kubebuilder:object:root=true | ||||||||
| // +kubebuilder:resource:path=clusterimagepolicies,scope=Cluster | ||||||||
| // +kubebuilder:subresource:status | ||||||||
| // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2310 | ||||||||
| // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 | ||||||||
| // +openshift:enable:FeatureGate=SigstoreImageVerification | ||||||||
| // +openshift:compatibility-gen:level=1 | ||||||||
| type ClusterImagePolicy struct { | ||||||||
| metav1.TypeMeta `json:",inline"` | ||||||||
|
|
||||||||
| // metadata is the standard object's metadata. | ||||||||
| // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | ||||||||
| // +optional | ||||||||
| metav1.ObjectMeta `json:"metadata"` | ||||||||
|
|
||||||||
| // spec contains the configuration for the cluster image policy. | ||||||||
| // +required | ||||||||
| Spec ClusterImagePolicySpec `json:"spec"` | ||||||||
| // status contains the observed state of the resource. | ||||||||
| // +optional | ||||||||
| Status ClusterImagePolicyStatus `json:"status"` | ||||||||
| } | ||||||||
|
|
||||||||
| // CLusterImagePolicySpec is the specification of the ClusterImagePolicy custom resource. | ||||||||
| type ClusterImagePolicySpec struct { | ||||||||
| // scopes is a required field that defines the list of image identities assigned to a policy. Each item refers to a scope in a registry implementing the "Docker Registry HTTP API V2". | ||||||||
| // Scopes matching individual images are named Docker references in the fully expanded form, either using a tag or digest. For example, docker.io/library/busybox:latest (not busybox:latest). | ||||||||
| // More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest), a repository | ||||||||
| // namespace, or a registry host (by only specifying the host name and possibly a port number) or a wildcard expression starting with `*.`, for matching all subdomains (not including a port number). | ||||||||
| // Wildcards are only supported for subdomain matching, and may not be used in the middle of the host, i.e. *.example.com is a valid case, but example*.*.com is not. | ||||||||
| // This support no more than 256 scopes in one object. If multiple scopes match a given image, only the policy requirements for the most specific scope apply. The policy requirements for more general scopes are ignored. | ||||||||
| // In addition to setting a policy appropriate for your own deployed applications, make sure that a policy on the OpenShift image repositories | ||||||||
| // quay.io/openshift-release-dev/ocp-release, quay.io/openshift-release-dev/ocp-v4.0-art-dev (or on a more general scope) allows deployment of the OpenShift images required for cluster operation. | ||||||||
| // If a scope is configured in both the ClusterImagePolicy and the ImagePolicy, or if the scope in ImagePolicy is nested under one of the scopes from the ClusterImagePolicy, only the policy from the ClusterImagePolicy will be applied. | ||||||||
| // For additional details about the format, please refer to the document explaining the docker transport field, | ||||||||
| // which can be found at: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker | ||||||||
| // +required | ||||||||
| // +kubebuilder:validation:MaxItems=256 | ||||||||
| // +listType=set | ||||||||
| Scopes []ImageScope `json:"scopes"` | ||||||||
| // policy is a required field that contains configuration to allow scopes to be verified, and defines how | ||||||||
| // images not matching the verification policy will be treated. | ||||||||
| // +required | ||||||||
|
There was a problem hiding this comment. Ditto on explicit inclusion in the GoDoc that this field is required. |
||||||||
| Policy Policy `json:"policy"` | ||||||||
| } | ||||||||
|
|
||||||||
| // +k8s:deepcopy-gen=true | ||||||||
| type ClusterImagePolicyStatus struct { | ||||||||
| // conditions provide details on the status of this API Resource. | ||||||||
|
There was a problem hiding this comment. Can we provide further detail on the types of conditions that should be expected to be set here? I suspect we have a complete list for the feature now? There was a problem hiding this comment. For ImagePolicy, we have Pending conditions suggesting some configs from this object would be overwritten since they conflict with existing cluster-wide objects. |
||||||||
| // +kubebuilder:validation:MaxItems=8 | ||||||||
| // +kubebuilder:validation:MinItems=1 | ||||||||
| // +listType=map | ||||||||
| // +listMapKey=type | ||||||||
| // +optional | ||||||||
| Conditions []metav1.Condition `json:"conditions,omitempty"` | ||||||||
|
There was a problem hiding this comment. You should add a minimum length marker of 1 to this, so that
Suggested change
|
||||||||
| } | ||||||||
|
|
||||||||
| // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||||||||
|
|
||||||||
| // ClusterImagePolicyList is a list of ClusterImagePolicy resources | ||||||||
| // | ||||||||
| // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). | ||||||||
| // +openshift:compatibility-gen:level=1 | ||||||||
| type ClusterImagePolicyList struct { | ||||||||
| metav1.TypeMeta `json:",inline"` | ||||||||
|
|
||||||||
| // metadata is the standard list's metadata. | ||||||||
| // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | ||||||||
| // +required | ||||||||
| metav1.ListMeta `json:"metadata"` | ||||||||
|
|
||||||||
| // items is a list of ClusterImagePolices | ||||||||
| // +kubebuilder:validation:MaxItems=1000 | ||||||||
| // +required | ||||||||
| Items []ClusterImagePolicy `json:"items"` | ||||||||
| } | ||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Explicitly state these constraints in the GoDoc for the field. Users will not be able to see the markers when looking at the generated documentation so stating these validations explicitly, in plain english, helps us convey constraints to user reading the generated documentation.