1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: osconfigguestpolicies.osconfig.cnrm.cloud.google.com
13spec:
14 group: osconfig.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: OSConfigGuestPolicy
19 plural: osconfigguestpolicies
20 shortNames:
21 - gcposconfigguestpolicy
22 - gcposconfigguestpolicies
23 singular: osconfigguestpolicy
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 assignment:
62 description: Specifies the VMs that are assigned this policy. This
63 allows you to target sets or groups of VMs by different parameters
64 such as labels, names, OS, or zones. Empty assignments will target
65 ALL VMs underneath this policy. Conflict Management Policies that
66 exist higher up in the resource hierarchy (closer to the Org) will
67 override those lower down if there is a conflict. At the same level
68 in the resource hierarchy (ie. within a project), the service will
69 prevent the creation of multiple policies that conflict with each
70 other. If there are multiple policies that specify the same config
71 (eg. package, software recipe, repository, etc.), the service will
72 ensure that no VM could potentially receive instructions from both
73 policies. To create multiple policies that specify different versions
74 of a package or different configs for different Operating Systems,
75 each policy must be mutually exclusive in their targeting according
76 to labels, OS, or other criteria. Different configs are identified
77 for conflicts in different ways. Packages are identified by their
78 name and the package manager(s) they target. Package repositories
79 are identified by their unique id where applicable. Some package
80 managers don't have a unique identifier for repositories and where
81 that's the case, no uniqueness is validated by the service. Note
82 that if OS Inventory is disabled, a VM will not be assigned a policy
83 that targets by OS because the service will see this VM's OS as
84 unknown.
85 properties:
86 groupLabels:
87 description: Targets instances matching at least one of these
88 label sets. This allows an assignment to target disparate groups,
89 for example "env=prod or env=staging".
90 items:
91 properties:
92 labels:
93 additionalProperties:
94 type: string
95 description: Google Compute Engine instance labels that
96 must be present for an instance to be included in this
97 assignment group.
98 type: object
99 type: object
100 type: array
101 instanceNamePrefixes:
102 description: Targets VM instances whose name starts with one of
103 these prefixes. Like labels, this is another way to group VM
104 instances when targeting configs, for example prefix="prod-".
105 Only supported for project-level policies.
106 items:
107 type: string
108 type: array
109 instances:
110 items:
111 oneOf:
112 - not:
113 required:
114 - external
115 required:
116 - name
117 - not:
118 anyOf:
119 - required:
120 - name
121 - required:
122 - namespace
123 required:
124 - external
125 properties:
126 external:
127 description: 'Allowed value: The `selfLink` field of a `ComputeInstance`
128 resource.'
129 type: string
130 name:
131 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
132 type: string
133 namespace:
134 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
135 type: string
136 type: object
137 type: array
138 osTypes:
139 description: Targets VM instances matching at least one of the
140 following OS types. VM instances must match all supplied criteria
141 for a given OsType to be included.
142 items:
143 properties:
144 osArchitecture:
145 description: Targets VM instances with OS Inventory enabled
146 and having the following OS architecture.
147 type: string
148 osShortName:
149 description: Targets VM instances with OS Inventory enabled
150 and having the following OS short name, for example "debian"
151 or "windows".
152 type: string
153 osVersion:
154 description: Targets VM instances with OS Inventory enabled
155 and having the following following OS version.
156 type: string
157 type: object
158 type: array
159 zones:
160 description: Targets instances in any of these zones. Leave empty
161 to target instances in any zone. Zonal targeting is uncommon
162 and is supported to facilitate the management of changes by
163 zone.
164 items:
165 type: string
166 type: array
167 type: object
168 description:
169 description: Description of the GuestPolicy. Length of the description
170 is limited to 1024 characters.
171 type: string
172 packageRepositories:
173 description: List of package repository configurations assigned to
174 the VM instance.
175 items:
176 properties:
177 apt:
178 description: An Apt Repository.
179 properties:
180 archiveType:
181 description: 'Type of archive files in this repository.
182 The default behavior is DEB. Possible values: ARCHIVE_TYPE_UNSPECIFIED,
183 DEB, DEB_SRC'
184 type: string
185 components:
186 description: Required. List of components for this repository.
187 Must contain at least one item.
188 items:
189 type: string
190 type: array
191 distribution:
192 description: Required. Distribution of this repository.
193 type: string
194 gpgKey:
195 description: URI of the key file for this repository. The
196 agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`
197 containing all the keys in any applied guest policy.
198 type: string
199 uri:
200 description: Required. URI for this repository.
201 type: string
202 required:
203 - distribution
204 - uri
205 type: object
206 goo:
207 description: A Goo Repository.
208 properties:
209 name:
210 description: Required. The name of the repository.
211 type: string
212 url:
213 description: Required. The url of the repository.
214 type: string
215 required:
216 - name
217 - url
218 type: object
219 yum:
220 description: A Yum Repository.
221 properties:
222 baseUrl:
223 description: Required. The location of the repository directory.
224 type: string
225 displayName:
226 description: The display name of the repository.
227 type: string
228 gpgKeys:
229 description: URIs of GPG keys.
230 items:
231 type: string
232 type: array
233 id:
234 description: Required. A one word, unique name for this
235 repository. This is the `repo id` in the Yum config file
236 and also the `display_name` if `display_name` is omitted.
237 This id is also used as the unique identifier when checking
238 for guest policy conflicts.
239 type: string
240 required:
241 - baseUrl
242 - id
243 type: object
244 zypper:
245 description: A Zypper Repository.
246 properties:
247 baseUrl:
248 description: Required. The location of the repository directory.
249 type: string
250 displayName:
251 description: The display name of the repository.
252 type: string
253 gpgKeys:
254 description: URIs of GPG keys.
255 items:
256 type: string
257 type: array
258 id:
259 description: Required. A one word, unique name for this
260 repository. This is the `repo id` in the zypper config
261 file and also the `display_name` if `display_name` is
262 omitted. This id is also used as the unique identifier
263 when checking for guest policy conflicts.
264 type: string
265 required:
266 - baseUrl
267 - id
268 type: object
269 type: object
270 type: array
271 packages:
272 description: List of package configurations assigned to the VM instance.
273 items:
274 properties:
275 desiredState:
276 description: 'The desired_state the agent should maintain for
277 this package. The default is to ensure the package is installed.
278 Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED'
279 type: string
280 manager:
281 description: 'Type of package manager that can be used to install
282 this package. If a system does not have the package manager,
283 the package is not installed or removed no error message is
284 returned. By default, or if you specify `ANY`, the agent attempts
285 to install and remove this package using the default package
286 manager. This is useful when creating a policy that applies
287 to different types of systems. The default behavior is ANY.
288 Possible values: MANAGER_UNSPECIFIED, ANY, APT, YUM, ZYPPER,
289 GOO'
290 type: string
291 name:
292 description: Required. The name of the package. A package is
293 uniquely identified for conflict validation by checking the
294 package name and the manager(s) that the package targets.
295 type: string
296 type: object
297 type: array
298 recipes:
299 description: Optional. A list of Recipes to install on the VM.
300 items:
301 properties:
302 artifacts:
303 description: Resources available to be used in the steps in
304 the recipe.
305 items:
306 properties:
307 allowInsecure:
308 description: 'Defaults to false. When false, recipes are
309 subject to validations based on the artifact type: Remote:
310 A checksum must be specified, and only protocols with
311 transport-layer security are permitted. GCS: An object
312 generation number must be specified.'
313 type: boolean
314 gcs:
315 description: A Google Cloud Storage artifact.
316 properties:
317 bucketRef:
318 oneOf:
319 - not:
320 required:
321 - external
322 required:
323 - name
324 - not:
325 anyOf:
326 - required:
327 - name
328 - required:
329 - namespace
330 required:
331 - external
332 properties:
333 external:
334 description: |-
335 Bucket of the Google Cloud Storage object. Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567` this value would be `my-bucket`.
336
337 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
338 type: string
339 name:
340 description: 'Name of the referent. More info:
341 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
342 type: string
343 namespace:
344 description: 'Namespace of the referent. More
345 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
346 type: string
347 type: object
348 generation:
349 description: Must be provided if allow_insecure is
350 false. Generation number of the Google Cloud Storage
351 object. `https://storage.googleapis.com/my-bucket/foo/bar#1234567`
352 this value would be `1234567`.
353 format: int64
354 type: integer
355 object:
356 description: 'Name of the Google Cloud Storage object.
357 As specified [here] (https://cloud.google.com/storage/docs/naming#objectnames)
358 Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567`
359 this value would be `foo/bar`.'
360 type: string
361 type: object
362 id:
363 description: Required. Id of the artifact, which the installation
364 and update steps of this recipe can reference. Artifacts
365 in a recipe cannot have the same id.
366 type: string
367 remote:
368 description: A generic remote artifact.
369 properties:
370 checksum:
371 description: Must be provided if `allow_insecure`
372 is `false`. SHA256 checksum in hex format, to compare
373 to the checksum of the artifact. If the checksum
374 is not empty and it doesn't match the artifact then
375 the recipe installation fails before running any
376 of the steps.
377 type: string
378 uri:
379 description: 'URI from which to fetch the object.
380 It should contain both the protocol and path following
381 the format: {protocol}://{location}.'
382 type: string
383 type: object
384 type: object
385 type: array
386 desiredState:
387 description: 'Default is INSTALLED. The desired state the agent
388 should maintain for this recipe. INSTALLED: The software recipe
389 is installed on the instance but won''t be updated to new
390 versions. UPDATED: The software recipe is installed on the
391 instance. The recipe is updated to a higher version, if a
392 higher version of the recipe is assigned to this instance.
393 REMOVE: Remove is unsupported for software recipes and attempts
394 to create or update a recipe to the REMOVE state is rejected.
395 Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED'
396 type: string
397 installSteps:
398 description: Actions to be taken for installing this recipe.
399 On failure it stops executing steps and does not attempt another
400 installation. Any steps taken (including partially completed
401 steps) are not rolled back.
402 items:
403 properties:
404 archiveExtraction:
405 description: Extracts an archive into the specified directory.
406 properties:
407 artifactId:
408 description: Required. The id of the relevant artifact
409 in the recipe.
410 type: string
411 destination:
412 description: Directory to extract archive to. Defaults
413 to `/` on Linux or `C:` on Windows.
414 type: string
415 type:
416 description: 'Required. The type of the archive to
417 extract. Possible values: TYPE_UNSPECIFIED, VALIDATION,
418 DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT,
419 DESIRED_STATE_CHECK_POST_ENFORCEMENT'
420 type: string
421 type: object
422 dpkgInstallation:
423 description: Installs a deb file via dpkg.
424 properties:
425 artifactId:
426 description: Required. The id of the relevant artifact
427 in the recipe.
428 type: string
429 type: object
430 fileCopy:
431 description: Copies a file onto the instance.
432 properties:
433 artifactId:
434 description: Required. The id of the relevant artifact
435 in the recipe.
436 type: string
437 destination:
438 description: Required. The absolute path on the instance
439 to put the file.
440 type: string
441 overwrite:
442 description: Whether to allow this step to overwrite
443 existing files. If this is false and the file already
444 exists the file is not overwritten and the step
445 is considered a success. Defaults to false.
446 type: boolean
447 permissions:
448 description: 'Consists of three octal digits which
449 represent, in order, the permissions of the owner,
450 group, and other users for the file (similarly to
451 the numeric mode used in the linux chmod utility).
452 Each digit represents a three bit number with the
453 4 bit corresponding to the read permissions, the
454 2 bit corresponds to the write bit, and the one
455 bit corresponds to the execute permission. Default
456 behavior is 755. Below are some examples of permissions
457 and their associated values: read, write, and execute:
458 7 read and execute: 5 read and write: 6 read only:
459 4'
460 type: string
461 type: object
462 fileExec:
463 description: Executes an artifact or local file.
464 properties:
465 allowedExitCodes:
466 description: Defaults to [0]. A list of possible return
467 values that the program can return to indicate a
468 success.
469 items:
470 format: int64
471 type: integer
472 type: array
473 args:
474 description: Arguments to be passed to the provided
475 executable.
476 items:
477 type: string
478 type: array
479 artifactId:
480 description: The id of the relevant artifact in the
481 recipe.
482 type: string
483 localPath:
484 description: The absolute path of the file on the
485 local filesystem.
486 type: string
487 type: object
488 msiInstallation:
489 description: Installs an MSI file.
490 properties:
491 allowedExitCodes:
492 description: Return codes that indicate that the software
493 installed or updated successfully. Behaviour defaults
494 to [0]
495 items:
496 format: int64
497 type: integer
498 type: array
499 artifactId:
500 description: Required. The id of the relevant artifact
501 in the recipe.
502 type: string
503 flags:
504 description: The flags to use when installing the
505 MSI defaults to ["/i"] (i.e. the install flag).
506 items:
507 type: string
508 type: array
509 type: object
510 rpmInstallation:
511 description: Installs an rpm file via the rpm utility.
512 properties:
513 artifactId:
514 description: Required. The id of the relevant artifact
515 in the recipe.
516 type: string
517 type: object
518 scriptRun:
519 description: Runs commands in a shell.
520 properties:
521 allowedExitCodes:
522 description: Return codes that indicate that the software
523 installed or updated successfully. Behaviour defaults
524 to [0]
525 items:
526 format: int64
527 type: integer
528 type: array
529 interpreter:
530 description: 'The script interpreter to use to run
531 the script. If no interpreter is specified the script
532 is executed directly, which likely only succeed
533 for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)).
534 Possible values: INTERPRETER_UNSPECIFIED, NONE,
535 SHELL, POWERSHELL'
536 type: string
537 script:
538 description: Required. The shell script to be executed.
539 type: string
540 type: object
541 type: object
542 type: array
543 name:
544 description: Required. Unique identifier for the recipe. Only
545 one recipe with a given name is installed on an instance.
546 Names are also used to identify resources which helps to determine
547 whether guest policies have conflicts. This means that requests
548 to create multiple recipes with the same name and version
549 are rejected since they could potentially have conflicting
550 assignments.
551 type: string
552 updateSteps:
553 description: Actions to be taken for updating this recipe. On
554 failure it stops executing steps and does not attempt another
555 update for this recipe. Any steps taken (including partially
556 completed steps) are not rolled back.
557 items:
558 properties:
559 archiveExtraction:
560 description: Extracts an archive into the specified directory.
561 properties:
562 artifactId:
563 description: Required. The id of the relevant artifact
564 in the recipe.
565 type: string
566 destination:
567 description: Directory to extract archive to. Defaults
568 to `/` on Linux or `C:` on Windows.
569 type: string
570 type:
571 description: 'Required. The type of the archive to
572 extract. Possible values: TYPE_UNSPECIFIED, VALIDATION,
573 DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT,
574 DESIRED_STATE_CHECK_POST_ENFORCEMENT'
575 type: string
576 type: object
577 dpkgInstallation:
578 description: Installs a deb file via dpkg.
579 properties:
580 artifactId:
581 description: Required. The id of the relevant artifact
582 in the recipe.
583 type: string
584 type: object
585 fileCopy:
586 description: Copies a file onto the instance.
587 properties:
588 artifactId:
589 description: Required. The id of the relevant artifact
590 in the recipe.
591 type: string
592 destination:
593 description: Required. The absolute path on the instance
594 to put the file.
595 type: string
596 overwrite:
597 description: Whether to allow this step to overwrite
598 existing files. If this is false and the file already
599 exists the file is not overwritten and the step
600 is considered a success. Defaults to false.
601 type: boolean
602 permissions:
603 description: 'Consists of three octal digits which
604 represent, in order, the permissions of the owner,
605 group, and other users for the file (similarly to
606 the numeric mode used in the linux chmod utility).
607 Each digit represents a three bit number with the
608 4 bit corresponding to the read permissions, the
609 2 bit corresponds to the write bit, and the one
610 bit corresponds to the execute permission. Default
611 behavior is 755. Below are some examples of permissions
612 and their associated values: read, write, and execute:
613 7 read and execute: 5 read and write: 6 read only:
614 4'
615 type: string
616 type: object
617 fileExec:
618 description: Executes an artifact or local file.
619 properties:
620 allowedExitCodes:
621 description: Defaults to [0]. A list of possible return
622 values that the program can return to indicate a
623 success.
624 items:
625 format: int64
626 type: integer
627 type: array
628 args:
629 description: Arguments to be passed to the provided
630 executable.
631 items:
632 type: string
633 type: array
634 artifactId:
635 description: The id of the relevant artifact in the
636 recipe.
637 type: string
638 localPath:
639 description: The absolute path of the file on the
640 local filesystem.
641 type: string
642 type: object
643 msiInstallation:
644 description: Installs an MSI file.
645 properties:
646 allowedExitCodes:
647 description: Return codes that indicate that the software
648 installed or updated successfully. Behaviour defaults
649 to [0]
650 items:
651 format: int64
652 type: integer
653 type: array
654 artifactId:
655 description: Required. The id of the relevant artifact
656 in the recipe.
657 type: string
658 flags:
659 description: The flags to use when installing the
660 MSI defaults to ["/i"] (i.e. the install flag).
661 items:
662 type: string
663 type: array
664 type: object
665 rpmInstallation:
666 description: Installs an rpm file via the rpm utility.
667 properties:
668 artifactId:
669 description: Required. The id of the relevant artifact
670 in the recipe.
671 type: string
672 type: object
673 scriptRun:
674 description: Runs commands in a shell.
675 properties:
676 allowedExitCodes:
677 description: Return codes that indicate that the software
678 installed or updated successfully. Behaviour defaults
679 to [0]
680 items:
681 format: int64
682 type: integer
683 type: array
684 interpreter:
685 description: 'The script interpreter to use to run
686 the script. If no interpreter is specified the script
687 is executed directly, which likely only succeed
688 for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)).
689 Possible values: INTERPRETER_UNSPECIFIED, NONE,
690 SHELL, POWERSHELL'
691 type: string
692 script:
693 description: Required. The shell script to be executed.
694 type: string
695 type: object
696 type: object
697 type: array
698 version:
699 description: The version of this software recipe. Version can
700 be up to 4 period separated numbers (e.g. 12.34.56.78).
701 type: string
702 type: object
703 type: array
704 resourceID:
705 description: Immutable. Optional. The name of the resource. Used for
706 creation and acquisition. When unset, the value of `metadata.name`
707 is used as the default.
708 type: string
709 type: object
710 status:
711 properties:
712 conditions:
713 description: Conditions represent the latest available observation
714 of the resource's current state.
715 items:
716 properties:
717 lastTransitionTime:
718 description: Last time the condition transitioned from one status
719 to another.
720 type: string
721 message:
722 description: Human-readable message indicating details about
723 last transition.
724 type: string
725 reason:
726 description: Unique, one-word, CamelCase reason for the condition's
727 last transition.
728 type: string
729 status:
730 description: Status is the status of the condition. Can be True,
731 False, Unknown.
732 type: string
733 type:
734 description: Type is the type of the condition.
735 type: string
736 type: object
737 type: array
738 createTime:
739 description: Output only. Time this GuestPolicy was created.
740 format: date-time
741 type: string
742 etag:
743 description: The etag for this GuestPolicy. If this is provided on
744 update, it must match the server's etag.
745 type: string
746 observedGeneration:
747 description: ObservedGeneration is the generation of the resource
748 that was most recently observed by the Config Connector controller.
749 If this is equal to metadata.generation, then that means that the
750 current reported status reflects the most recent desired state of
751 the resource.
752 type: integer
753 updateTime:
754 description: Output only. Last time this GuestPolicy was updated.
755 format: date-time
756 type: string
757 type: object
758 type: object
759 served: true
760 storage: true
761 subresources:
762 status: {}
763status:
764 acceptedNames:
765 kind: ""
766 plural: ""
767 conditions: []
768 storedVersions: []
View as plain text