# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 creationTimestamp: null labels: cnrm.cloud.google.com/dcl2crd: "true" cnrm.cloud.google.com/managed-by-kcc: "true" cnrm.cloud.google.com/stability-level: stable cnrm.cloud.google.com/system: "true" name: osconfigospolicyassignments.osconfig.cnrm.cloud.google.com spec: group: osconfig.cnrm.cloud.google.com names: categories: - gcp kind: OSConfigOSPolicyAssignment plural: osconfigospolicyassignments shortNames: - gcposconfigospolicyassignment - gcposconfigospolicyassignments singular: osconfigospolicyassignment scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - description: When 'True', the most recent reconcile of the resource succeeded jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string - description: The reason for the value in 'Ready' jsonPath: .status.conditions[?(@.type=='Ready')].reason name: Status type: string - description: The last transition time for the value in 'Status' jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime name: Status Age type: date name: v1beta1 schema: openAPIV3Schema: properties: apiVersion: description: 'apiVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: description: description: OS policy assignment description. Length of the description is limited to 1024 characters. type: string instanceFilter: description: Required. Filter to select VMs. properties: all: description: Target all VMs in the project. If true, no other criteria is permitted. type: boolean exclusionLabels: description: List of label sets used for VM exclusion. If the list has more than one label set, the VM is excluded if any of the label sets are applicable for the VM. items: properties: labels: additionalProperties: type: string description: Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. type: object type: object type: array inclusionLabels: description: List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM. items: properties: labels: additionalProperties: type: string description: Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. type: object type: object type: array inventories: description: List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories. items: properties: osShortName: description: Required. The OS short name type: string osVersion: description: The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. type: string required: - osShortName type: object type: array type: object location: description: Immutable. The location for the resource type: string osPolicies: description: Required. List of OS policies to be applied to the VMs. items: properties: allowNoResourceGroupMatch: description: This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce. type: boolean description: description: Policy description. Length of the description is limited to 1024 characters. type: string id: description: 'Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment.' type: string mode: description: 'Required. Policy mode Possible values: MODE_UNSPECIFIED, VALIDATION, ENFORCEMENT' type: string resourceGroups: description: Required. List of resource groups for the policy. For a particular VM, resource groups are evaluated in the order specified and the first resource group that is applicable is selected and the rest are ignored. If none of the resource groups are applicable for a VM, the VM is considered to be non-compliant w.r.t this policy. This behavior can be toggled by the flag `allow_no_resource_group_match` items: properties: inventoryFilters: description: 'List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name=''rhel'' and inventory_filters[1].os_short_name=''centos'' If the list is empty, this resource group will be applied to the target VM unconditionally.' items: properties: osShortName: description: Required. The OS short name type: string osVersion: description: The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. type: string required: - osShortName type: object type: array resources: description: Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. items: properties: exec: description: Exec resource properties: enforce: description: What to run to bring this resource into the desired state. An exit code of 100 indicates "success", any other exit code indicates a failure running enforce. properties: args: description: Optional arguments to pass to the source during execution. items: type: string type: array file: description: A remote or local file. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object interpreter: description: 'Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL' type: string outputFilePath: description: Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes. type: string script: description: An inline script. The size of the script is limited to 1024 characters. type: string required: - interpreter type: object validate: description: Required. What to run to validate this resource is in the desired state. An exit code of 100 indicates "in desired state", and exit code of 101 indicates "not in desired state". Any other exit code indicates a failure running validate. properties: args: description: Optional arguments to pass to the source during execution. items: type: string type: array file: description: A remote or local file. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object interpreter: description: 'Required. The script interpreter to use. Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL' type: string outputFilePath: description: Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 100K bytes. type: string script: description: An inline script. The size of the script is limited to 1024 characters. type: string required: - interpreter type: object required: - validate type: object file: description: File resource properties: content: description: A a file with this content. The size of the content is limited to 1024 characters. type: string file: description: A remote or local source. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object path: description: Required. The absolute path of the file within the VM. type: string permissions: description: 'Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4' type: string state: description: 'Required. Desired state of the file. Possible values: OS_POLICY_COMPLIANCE_STATE_UNSPECIFIED, COMPLIANT, NON_COMPLIANT, UNKNOWN, NO_OS_POLICIES_APPLICABLE' type: string required: - path - state type: object id: description: 'Required. The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy.' type: string pkg: description: Package resource properties: apt: description: A package managed by Apt. properties: name: description: Required. Package name. type: string required: - name type: object deb: description: A deb package file. properties: pullDeps: description: 'Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb`' type: boolean source: description: Required. A deb package. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object required: - source type: object desiredState: description: 'Required. The desired state the agent should maintain for this package. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED' type: string googet: description: A package managed by GooGet. properties: name: description: Required. Package name. type: string required: - name type: object msi: description: An MSI package. properties: properties: description: Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. items: type: string type: array source: description: Required. The MSI package. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object required: - source type: object rpm: description: An rpm package file. properties: pullDeps: description: 'Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm`' type: boolean source: description: Required. An rpm package. properties: allowInsecure: description: 'Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.' type: boolean gcs: description: A Cloud Storage object. properties: bucket: description: Required. Bucket of the Cloud Storage object. type: string generation: description: Generation number of the Cloud Storage object. format: int64 type: integer object: description: Required. Name of the Cloud Storage object. type: string required: - bucket - object type: object localPath: description: A local path within the VM to use. type: string remote: description: A generic remote file. properties: sha256Checksum: description: SHA256 checksum of the remote file. type: string uri: description: Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. type: string required: - uri type: object type: object required: - source type: object yum: description: A package managed by YUM. properties: name: description: Required. Package name. type: string required: - name type: object zypper: description: A package managed by Zypper. properties: name: description: Required. Package name. type: string required: - name type: object required: - desiredState type: object repository: description: Package repository resource properties: apt: description: An Apt Repository. properties: archiveType: description: 'Required. Type of archive files in this repository. Possible values: ARCHIVE_TYPE_UNSPECIFIED, DEB, DEB_SRC' type: string components: description: Required. List of components for this repository. Must contain at least one item. items: type: string type: array distribution: description: Required. Distribution of this repository. type: string gpgKey: description: URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`. type: string uri: description: Required. URI for this repository. type: string required: - archiveType - components - distribution - uri type: object goo: description: A Goo Repository. properties: name: description: Required. The name of the repository. type: string url: description: Required. The url of the repository. type: string required: - name - url type: object yum: description: A Yum Repository. properties: baseUrl: description: Required. The location of the repository directory. type: string displayName: description: The display name of the repository. type: string gpgKeys: description: URIs of GPG keys. items: type: string type: array id: description: Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. type: string required: - baseUrl - id type: object zypper: description: A Zypper Repository. properties: baseUrl: description: Required. The location of the repository directory. type: string displayName: description: The display name of the repository. type: string gpgKeys: description: URIs of GPG keys. items: type: string type: array id: description: Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts. type: string required: - baseUrl - id type: object type: object required: - id type: object type: array required: - resources type: object type: array required: - id - mode - resourceGroups type: object type: array projectRef: description: Immutable. The Project that this resource belongs to. oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object resourceID: description: Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. type: string rollout: description: 'Required. Rollout to deploy the OS policy assignment. A rollout is triggered in the following situations: 1) OSPolicyAssignment is created. 2) OSPolicyAssignment is updated and the update contains changes to one of the following fields: - instance_filter - os_policies 3) OSPolicyAssignment is deleted.' properties: disruptionBudget: description: Required. The maximum number (or percentage) of VMs per zone to disrupt at any given moment. properties: fixed: description: Specifies a fixed value. format: int64 type: integer percent: description: Specifies the relative value defined as a percentage, which will be multiplied by a reference value. format: int64 type: integer type: object minWaitDuration: description: Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. type: string required: - disruptionBudget - minWaitDuration type: object skipAwaitRollout: description: Set to true to skip awaiting rollout during resource creation and update. type: boolean required: - instanceFilter - location - osPolicies - projectRef - rollout type: object status: properties: baseline: description: Output only. Indicates that this revision has been successfully rolled out in this zone and new VMs will be assigned OS policies from this revision. For a given OS policy assignment, there is only one revision with a value of `true` for this field. type: boolean conditions: description: Conditions represent the latest available observation of the resource's current state. items: properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about last transition. type: string reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. Can be True, False, Unknown. type: string type: description: Type is the type of the condition. type: string type: object type: array deleted: description: Output only. Indicates that this revision deletes the OS policy assignment. type: boolean etag: description: The etag for this OS policy assignment. If this is provided on update, it must match the server's etag. type: string observedGeneration: description: ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. type: integer reconciling: description: 'Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING' type: boolean revisionCreateTime: description: Output only. The timestamp that the revision was created. format: date-time type: string revisionId: description: Output only. The assignment revision ID A new revision is committed whenever a rollout is triggered for a OS policy assignment type: string rolloutState: description: 'Output only. OS policy assignment rollout state Possible values: ROLLOUT_STATE_UNSPECIFIED, IN_PROGRESS, CANCELLING, CANCELLED, SUCCEEDED' type: string uid: description: Output only. Server generated unique id for the OS policy assignment resource. type: string type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []