1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: osconfigguestpolicies.osconfig.cnrm.cloud.google.com
27spec:
28 group: osconfig.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: OSConfigGuestPolicy
33 plural: osconfigguestpolicies
34 shortNames:
35 - gcposconfigguestpolicy
36 - gcposconfigguestpolicies
37 singular: osconfigguestpolicy
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 assignment:
75 description: Specifies the VMs that are assigned this policy. This
76 allows you to target sets or groups of VMs by different parameters
77 such as labels, names, OS, or zones. Empty assignments will target
78 ALL VMs underneath this policy. Conflict Management Policies that
79 exist higher up in the resource hierarchy (closer to the Org) will
80 override those lower down if there is a conflict. At the same level
81 in the resource hierarchy (ie. within a project), the service will
82 prevent the creation of multiple policies that conflict with each
83 other. If there are multiple policies that specify the same config
84 (eg. package, software recipe, repository, etc.), the service will
85 ensure that no VM could potentially receive instructions from both
86 policies. To create multiple policies that specify different versions
87 of a package or different configs for different Operating Systems,
88 each policy must be mutually exclusive in their targeting according
89 to labels, OS, or other criteria. Different configs are identified
90 for conflicts in different ways. Packages are identified by their
91 name and the package manager(s) they target. Package repositories
92 are identified by their unique id where applicable. Some package
93 managers don't have a unique identifier for repositories and where
94 that's the case, no uniqueness is validated by the service. Note
95 that if OS Inventory is disabled, a VM will not be assigned a policy
96 that targets by OS because the service will see this VM's OS as
97 unknown.
98 properties:
99 groupLabels:
100 description: Targets instances matching at least one of these
101 label sets. This allows an assignment to target disparate groups,
102 for example "env=prod or env=staging".
103 items:
104 properties:
105 labels:
106 additionalProperties:
107 type: string
108 description: Google Compute Engine instance labels that
109 must be present for an instance to be included in this
110 assignment group.
111 type: object
112 type: object
113 type: array
114 instanceNamePrefixes:
115 description: Targets VM instances whose name starts with one of
116 these prefixes. Like labels, this is another way to group VM
117 instances when targeting configs, for example prefix="prod-".
118 Only supported for project-level policies.
119 items:
120 type: string
121 type: array
122 instances:
123 items:
124 oneOf:
125 - not:
126 required:
127 - external
128 required:
129 - name
130 - not:
131 anyOf:
132 - required:
133 - name
134 - required:
135 - namespace
136 required:
137 - external
138 properties:
139 external:
140 description: 'Allowed value: The `selfLink` field of a `ComputeInstance`
141 resource.'
142 type: string
143 name:
144 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
145 type: string
146 namespace:
147 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
148 type: string
149 type: object
150 type: array
151 osTypes:
152 description: Targets VM instances matching at least one of the
153 following OS types. VM instances must match all supplied criteria
154 for a given OsType to be included.
155 items:
156 properties:
157 osArchitecture:
158 description: Targets VM instances with OS Inventory enabled
159 and having the following OS architecture.
160 type: string
161 osShortName:
162 description: Targets VM instances with OS Inventory enabled
163 and having the following OS short name, for example "debian"
164 or "windows".
165 type: string
166 osVersion:
167 description: Targets VM instances with OS Inventory enabled
168 and having the following following OS version.
169 type: string
170 type: object
171 type: array
172 zones:
173 description: Targets instances in any of these zones. Leave empty
174 to target instances in any zone. Zonal targeting is uncommon
175 and is supported to facilitate the management of changes by
176 zone.
177 items:
178 type: string
179 type: array
180 type: object
181 description:
182 description: Description of the GuestPolicy. Length of the description
183 is limited to 1024 characters.
184 type: string
185 packageRepositories:
186 description: List of package repository configurations assigned to
187 the VM instance.
188 items:
189 properties:
190 apt:
191 description: An Apt Repository.
192 properties:
193 archiveType:
194 description: 'Type of archive files in this repository.
195 The default behavior is DEB. Possible values: ARCHIVE_TYPE_UNSPECIFIED,
196 DEB, DEB_SRC'
197 type: string
198 components:
199 description: Required. List of components for this repository.
200 Must contain at least one item.
201 items:
202 type: string
203 type: array
204 distribution:
205 description: Required. Distribution of this repository.
206 type: string
207 gpgKey:
208 description: URI of the key file for this repository. The
209 agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`
210 containing all the keys in any applied guest policy.
211 type: string
212 uri:
213 description: Required. URI for this repository.
214 type: string
215 required:
216 - distribution
217 - uri
218 type: object
219 goo:
220 description: A Goo Repository.
221 properties:
222 name:
223 description: Required. The name of the repository.
224 type: string
225 url:
226 description: Required. The url of the repository.
227 type: string
228 required:
229 - name
230 - url
231 type: object
232 yum:
233 description: A Yum Repository.
234 properties:
235 baseUrl:
236 description: Required. The location of the repository directory.
237 type: string
238 displayName:
239 description: The display name of the repository.
240 type: string
241 gpgKeys:
242 description: URIs of GPG keys.
243 items:
244 type: string
245 type: array
246 id:
247 description: Required. A one word, unique name for this
248 repository. This is the `repo id` in the Yum config file
249 and also the `display_name` if `display_name` is omitted.
250 This id is also used as the unique identifier when checking
251 for guest policy conflicts.
252 type: string
253 required:
254 - baseUrl
255 - id
256 type: object
257 zypper:
258 description: A Zypper Repository.
259 properties:
260 baseUrl:
261 description: Required. The location of the repository directory.
262 type: string
263 displayName:
264 description: The display name of the repository.
265 type: string
266 gpgKeys:
267 description: URIs of GPG keys.
268 items:
269 type: string
270 type: array
271 id:
272 description: Required. A one word, unique name for this
273 repository. This is the `repo id` in the zypper config
274 file and also the `display_name` if `display_name` is
275 omitted. This id is also used as the unique identifier
276 when checking for guest policy conflicts.
277 type: string
278 required:
279 - baseUrl
280 - id
281 type: object
282 type: object
283 type: array
284 packages:
285 description: List of package configurations assigned to the VM instance.
286 items:
287 properties:
288 desiredState:
289 description: 'The desired_state the agent should maintain for
290 this package. The default is to ensure the package is installed.
291 Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED'
292 type: string
293 manager:
294 description: 'Type of package manager that can be used to install
295 this package. If a system does not have the package manager,
296 the package is not installed or removed no error message is
297 returned. By default, or if you specify `ANY`, the agent attempts
298 to install and remove this package using the default package
299 manager. This is useful when creating a policy that applies
300 to different types of systems. The default behavior is ANY.
301 Possible values: MANAGER_UNSPECIFIED, ANY, APT, YUM, ZYPPER,
302 GOO'
303 type: string
304 name:
305 description: Required. The name of the package. A package is
306 uniquely identified for conflict validation by checking the
307 package name and the manager(s) that the package targets.
308 type: string
309 type: object
310 type: array
311 recipes:
312 description: Optional. A list of Recipes to install on the VM.
313 items:
314 properties:
315 artifacts:
316 description: Resources available to be used in the steps in
317 the recipe.
318 items:
319 properties:
320 allowInsecure:
321 description: 'Defaults to false. When false, recipes are
322 subject to validations based on the artifact type: Remote:
323 A checksum must be specified, and only protocols with
324 transport-layer security are permitted. GCS: An object
325 generation number must be specified.'
326 type: boolean
327 gcs:
328 description: A Google Cloud Storage artifact.
329 properties:
330 bucketRef:
331 oneOf:
332 - not:
333 required:
334 - external
335 required:
336 - name
337 - not:
338 anyOf:
339 - required:
340 - name
341 - required:
342 - namespace
343 required:
344 - external
345 properties:
346 external:
347 description: |-
348 Bucket of the Google Cloud Storage object. Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567` this value would be `my-bucket`.
349
350 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
351 type: string
352 name:
353 description: 'Name of the referent. More info:
354 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
355 type: string
356 namespace:
357 description: 'Namespace of the referent. More
358 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
359 type: string
360 type: object
361 generation:
362 description: Must be provided if allow_insecure is
363 false. Generation number of the Google Cloud Storage
364 object. `https://storage.googleapis.com/my-bucket/foo/bar#1234567`
365 this value would be `1234567`.
366 format: int64
367 type: integer
368 object:
369 description: 'Name of the Google Cloud Storage object.
370 As specified [here] (https://cloud.google.com/storage/docs/naming#objectnames)
371 Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567`
372 this value would be `foo/bar`.'
373 type: string
374 type: object
375 id:
376 description: Required. Id of the artifact, which the installation
377 and update steps of this recipe can reference. Artifacts
378 in a recipe cannot have the same id.
379 type: string
380 remote:
381 description: A generic remote artifact.
382 properties:
383 checksum:
384 description: Must be provided if `allow_insecure`
385 is `false`. SHA256 checksum in hex format, to compare
386 to the checksum of the artifact. If the checksum
387 is not empty and it doesn't match the artifact then
388 the recipe installation fails before running any
389 of the steps.
390 type: string
391 uri:
392 description: 'URI from which to fetch the object.
393 It should contain both the protocol and path following
394 the format: {protocol}://{location}.'
395 type: string
396 type: object
397 type: object
398 type: array
399 desiredState:
400 description: 'Default is INSTALLED. The desired state the agent
401 should maintain for this recipe. INSTALLED: The software recipe
402 is installed on the instance but won''t be updated to new
403 versions. UPDATED: The software recipe is installed on the
404 instance. The recipe is updated to a higher version, if a
405 higher version of the recipe is assigned to this instance.
406 REMOVE: Remove is unsupported for software recipes and attempts
407 to create or update a recipe to the REMOVE state is rejected.
408 Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED'
409 type: string
410 installSteps:
411 description: Actions to be taken for installing this recipe.
412 On failure it stops executing steps and does not attempt another
413 installation. Any steps taken (including partially completed
414 steps) are not rolled back.
415 items:
416 properties:
417 archiveExtraction:
418 description: Extracts an archive into the specified directory.
419 properties:
420 artifactId:
421 description: Required. The id of the relevant artifact
422 in the recipe.
423 type: string
424 destination:
425 description: Directory to extract archive to. Defaults
426 to `/` on Linux or `C:` on Windows.
427 type: string
428 type:
429 description: 'Required. The type of the archive to
430 extract. Possible values: TYPE_UNSPECIFIED, VALIDATION,
431 DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT,
432 DESIRED_STATE_CHECK_POST_ENFORCEMENT'
433 type: string
434 type: object
435 dpkgInstallation:
436 description: Installs a deb file via dpkg.
437 properties:
438 artifactId:
439 description: Required. The id of the relevant artifact
440 in the recipe.
441 type: string
442 type: object
443 fileCopy:
444 description: Copies a file onto the instance.
445 properties:
446 artifactId:
447 description: Required. The id of the relevant artifact
448 in the recipe.
449 type: string
450 destination:
451 description: Required. The absolute path on the instance
452 to put the file.
453 type: string
454 overwrite:
455 description: Whether to allow this step to overwrite
456 existing files. If this is false and the file already
457 exists the file is not overwritten and the step
458 is considered a success. Defaults to false.
459 type: boolean
460 permissions:
461 description: 'Consists of three octal digits which
462 represent, in order, the permissions of the owner,
463 group, and other users for the file (similarly to
464 the numeric mode used in the linux chmod utility).
465 Each digit represents a three bit number with the
466 4 bit corresponding to the read permissions, the
467 2 bit corresponds to the write bit, and the one
468 bit corresponds to the execute permission. Default
469 behavior is 755. Below are some examples of permissions
470 and their associated values: read, write, and execute:
471 7 read and execute: 5 read and write: 6 read only:
472 4'
473 type: string
474 type: object
475 fileExec:
476 description: Executes an artifact or local file.
477 properties:
478 allowedExitCodes:
479 description: Defaults to [0]. A list of possible return
480 values that the program can return to indicate a
481 success.
482 items:
483 format: int64
484 type: integer
485 type: array
486 args:
487 description: Arguments to be passed to the provided
488 executable.
489 items:
490 type: string
491 type: array
492 artifactId:
493 description: The id of the relevant artifact in the
494 recipe.
495 type: string
496 localPath:
497 description: The absolute path of the file on the
498 local filesystem.
499 type: string
500 type: object
501 msiInstallation:
502 description: Installs an MSI file.
503 properties:
504 allowedExitCodes:
505 description: Return codes that indicate that the software
506 installed or updated successfully. Behaviour defaults
507 to [0]
508 items:
509 format: int64
510 type: integer
511 type: array
512 artifactId:
513 description: Required. The id of the relevant artifact
514 in the recipe.
515 type: string
516 flags:
517 description: The flags to use when installing the
518 MSI defaults to ["/i"] (i.e. the install flag).
519 items:
520 type: string
521 type: array
522 type: object
523 rpmInstallation:
524 description: Installs an rpm file via the rpm utility.
525 properties:
526 artifactId:
527 description: Required. The id of the relevant artifact
528 in the recipe.
529 type: string
530 type: object
531 scriptRun:
532 description: Runs commands in a shell.
533 properties:
534 allowedExitCodes:
535 description: Return codes that indicate that the software
536 installed or updated successfully. Behaviour defaults
537 to [0]
538 items:
539 format: int64
540 type: integer
541 type: array
542 interpreter:
543 description: 'The script interpreter to use to run
544 the script. If no interpreter is specified the script
545 is executed directly, which likely only succeed
546 for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)).
547 Possible values: INTERPRETER_UNSPECIFIED, NONE,
548 SHELL, POWERSHELL'
549 type: string
550 script:
551 description: Required. The shell script to be executed.
552 type: string
553 type: object
554 type: object
555 type: array
556 name:
557 description: Required. Unique identifier for the recipe. Only
558 one recipe with a given name is installed on an instance.
559 Names are also used to identify resources which helps to determine
560 whether guest policies have conflicts. This means that requests
561 to create multiple recipes with the same name and version
562 are rejected since they could potentially have conflicting
563 assignments.
564 type: string
565 updateSteps:
566 description: Actions to be taken for updating this recipe. On
567 failure it stops executing steps and does not attempt another
568 update for this recipe. Any steps taken (including partially
569 completed steps) are not rolled back.
570 items:
571 properties:
572 archiveExtraction:
573 description: Extracts an archive into the specified directory.
574 properties:
575 artifactId:
576 description: Required. The id of the relevant artifact
577 in the recipe.
578 type: string
579 destination:
580 description: Directory to extract archive to. Defaults
581 to `/` on Linux or `C:` on Windows.
582 type: string
583 type:
584 description: 'Required. The type of the archive to
585 extract. Possible values: TYPE_UNSPECIFIED, VALIDATION,
586 DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT,
587 DESIRED_STATE_CHECK_POST_ENFORCEMENT'
588 type: string
589 type: object
590 dpkgInstallation:
591 description: Installs a deb file via dpkg.
592 properties:
593 artifactId:
594 description: Required. The id of the relevant artifact
595 in the recipe.
596 type: string
597 type: object
598 fileCopy:
599 description: Copies a file onto the instance.
600 properties:
601 artifactId:
602 description: Required. The id of the relevant artifact
603 in the recipe.
604 type: string
605 destination:
606 description: Required. The absolute path on the instance
607 to put the file.
608 type: string
609 overwrite:
610 description: Whether to allow this step to overwrite
611 existing files. If this is false and the file already
612 exists the file is not overwritten and the step
613 is considered a success. Defaults to false.
614 type: boolean
615 permissions:
616 description: 'Consists of three octal digits which
617 represent, in order, the permissions of the owner,
618 group, and other users for the file (similarly to
619 the numeric mode used in the linux chmod utility).
620 Each digit represents a three bit number with the
621 4 bit corresponding to the read permissions, the
622 2 bit corresponds to the write bit, and the one
623 bit corresponds to the execute permission. Default
624 behavior is 755. Below are some examples of permissions
625 and their associated values: read, write, and execute:
626 7 read and execute: 5 read and write: 6 read only:
627 4'
628 type: string
629 type: object
630 fileExec:
631 description: Executes an artifact or local file.
632 properties:
633 allowedExitCodes:
634 description: Defaults to [0]. A list of possible return
635 values that the program can return to indicate a
636 success.
637 items:
638 format: int64
639 type: integer
640 type: array
641 args:
642 description: Arguments to be passed to the provided
643 executable.
644 items:
645 type: string
646 type: array
647 artifactId:
648 description: The id of the relevant artifact in the
649 recipe.
650 type: string
651 localPath:
652 description: The absolute path of the file on the
653 local filesystem.
654 type: string
655 type: object
656 msiInstallation:
657 description: Installs an MSI file.
658 properties:
659 allowedExitCodes:
660 description: Return codes that indicate that the software
661 installed or updated successfully. Behaviour defaults
662 to [0]
663 items:
664 format: int64
665 type: integer
666 type: array
667 artifactId:
668 description: Required. The id of the relevant artifact
669 in the recipe.
670 type: string
671 flags:
672 description: The flags to use when installing the
673 MSI defaults to ["/i"] (i.e. the install flag).
674 items:
675 type: string
676 type: array
677 type: object
678 rpmInstallation:
679 description: Installs an rpm file via the rpm utility.
680 properties:
681 artifactId:
682 description: Required. The id of the relevant artifact
683 in the recipe.
684 type: string
685 type: object
686 scriptRun:
687 description: Runs commands in a shell.
688 properties:
689 allowedExitCodes:
690 description: Return codes that indicate that the software
691 installed or updated successfully. Behaviour defaults
692 to [0]
693 items:
694 format: int64
695 type: integer
696 type: array
697 interpreter:
698 description: 'The script interpreter to use to run
699 the script. If no interpreter is specified the script
700 is executed directly, which likely only succeed
701 for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)).
702 Possible values: INTERPRETER_UNSPECIFIED, NONE,
703 SHELL, POWERSHELL'
704 type: string
705 script:
706 description: Required. The shell script to be executed.
707 type: string
708 type: object
709 type: object
710 type: array
711 version:
712 description: The version of this software recipe. Version can
713 be up to 4 period separated numbers (e.g. 12.34.56.78).
714 type: string
715 type: object
716 type: array
717 resourceID:
718 description: Immutable. Optional. The name of the resource. Used for
719 creation and acquisition. When unset, the value of `metadata.name`
720 is used as the default.
721 type: string
722 type: object
723 status:
724 properties:
725 conditions:
726 description: Conditions represent the latest available observation
727 of the resource's current state.
728 items:
729 properties:
730 lastTransitionTime:
731 description: Last time the condition transitioned from one status
732 to another.
733 type: string
734 message:
735 description: Human-readable message indicating details about
736 last transition.
737 type: string
738 reason:
739 description: Unique, one-word, CamelCase reason for the condition's
740 last transition.
741 type: string
742 status:
743 description: Status is the status of the condition. Can be True,
744 False, Unknown.
745 type: string
746 type:
747 description: Type is the type of the condition.
748 type: string
749 type: object
750 type: array
751 createTime:
752 description: Output only. Time this GuestPolicy was created.
753 format: date-time
754 type: string
755 etag:
756 description: The etag for this GuestPolicy. If this is provided on
757 update, it must match the server's etag.
758 type: string
759 observedGeneration:
760 description: ObservedGeneration is the generation of the resource
761 that was most recently observed by the Config Connector controller.
762 If this is equal to metadata.generation, then that means that the
763 current reported status reflects the most recent desired state of
764 the resource.
765 type: integer
766 updateTime:
767 description: Output only. Last time this GuestPolicy was updated.
768 format: date-time
769 type: string
770 type: object
771 type: object
772 served: true
773 storage: true
774 subresources:
775 status: {}
776status:
777 acceptedNames:
778 kind: ""
779 plural: ""
780 conditions: []
781 storedVersions: []
View as plain text