Documentation
¶
Index ¶
- Variables
- func NestedFieldNoCopy(obj map[string]interface{}, fields ...string) (interface{}, bool, error)
- func PrepareQuery() (rego.PreparedEvalQuery, error)
- type AttributeOptimization
- type DataRequest
- type Decision
- type DecisionPerCapability
- type DecisionPerCapabilityMap
- type DecisionPolicy
- type DeploymentStatus
- type EvaluationOutputStructure
- type EvaluatorInput
- type EvaluatorInterface
- type EvaluatorOutput
- type OptimizationDirective
- type OptimizationStrategy
- type RegoPolicyEvaluator
- type Restriction
- type Restrictions
- type RuleDecisionList
- type StringList
- type WorkloadInfo
Constants ¶
This section is empty.
Variables ¶
var RegoPolicyDirectory = environment.GetDataDir() + "/adminconfig/"
RegoPolicyDirectory is a directory containing rego files that define admin config policies
Functions ¶
func NestedFieldNoCopy ¶ added in v0.7.0
func PrepareQuery ¶ added in v0.6.1
func PrepareQuery() (rego.PreparedEvalQuery, error)
PrepareQuery prepares a query for OPA evaluation - data object and compiled modules. This function is called prior to FybrikApplication controller creation in main. Monitoring changes in rego files will be implemented in the future version.
Types ¶
type AttributeOptimization ¶ added in v0.7.0
type AttributeOptimization struct {
// Attribute name
// +required
Attribute string `json:"attribute"`
// Optimization directive: minimize or maximize
// +required
Directive OptimizationDirective `json:"directive"`
// Weight, a positive number not exceeding 1.0
// Serialized as a string
Weight string `json:"weight,omitempty"`
}
type DataRequest ¶
type DataRequest struct {
// asset identifier
DatasetID string `json:"datasetID"`
// requested interface
Interface *taxonomy.Interface `json:"interface,omitempty"`
// requested usage, e.g. "read": true, "write": false
Usage taxonomy.DataFlow `json:"usage"`
// Asset metadata
Metadata *datacatalog.ResourceMetadata `json:"dataset"`
}
DataRequest is a request to use a specific asset
type Decision ¶
type Decision struct {
// a decision regarding deployment: True = require, False = forbid, Unknown = allow
Deploy DeploymentStatus `json:"deploy,omitempty"`
// Deployment restrictions on modules, clusters and additional resources
DeploymentRestrictions Restrictions `json:"restrictions,omitempty"`
// Descriptions of policies that have been used for evaluation
Policy DecisionPolicy `json:"policy,omitempty"`
}
Decision is a result of evaluating a configuration policy which satisfies the specified predicates
type DecisionPerCapability ¶ added in v0.7.0
type DecisionPerCapability struct {
Capability taxonomy.Capability `json:"capability"`
Decision Decision `json:"decision"`
}
type DecisionPerCapabilityMap ¶
type DecisionPerCapabilityMap map[taxonomy.Capability]Decision
type DecisionPolicy ¶
type DecisionPolicy struct {
ID string `json:"ID"`
PolicySetID string `json:"policySetID,omitempty"`
Description string `json:"description,omitempty"`
Version string `json:"version,omitempty"`
}
DecisionPolicy is a justification for a policy that consists of a unique id, id of a policy set and a human readable description
type DeploymentStatus ¶ added in v0.7.0
type DeploymentStatus string
+kubebuilder:validation:Enum=True;False;Unknown
const ( StatusTrue DeploymentStatus = "True" StatusFalse DeploymentStatus = "False" StatusUnknown DeploymentStatus = "Unknown" )
DeploymentStatus values
type EvaluationOutputStructure ¶ added in v0.7.0
type EvaluationOutputStructure struct {
Config RuleDecisionList `json:"config"`
// +optional
Optimize []OptimizationStrategy `json:"optimize,omitempty"`
}
Result of query evaluation
type EvaluatorInput ¶
type EvaluatorInput struct {
// Workload configuration
Workload WorkloadInfo `json:"workload"`
// Requirements for asset usage
Request DataRequest `json:"request"`
}
EvaluatorInput is an input to Configuration Policies Evaluator. Used to evaluate configuration policies.
type EvaluatorInterface ¶
type EvaluatorInterface interface {
Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
}
EvaluatorInterface is an interface for config policies' evaluator
type EvaluatorOutput ¶
type EvaluatorOutput struct {
// Valid is true when there is no conflict between the decisions, and false otherwise
Valid bool
// Dataset identifier
DatasetID string
// Unique fybrikapplication id used for logging
UUID string
// Policy set id used in the evaluation
PolicySetID string
// Decisions per capability (after being merged)
ConfigDecisions DecisionPerCapabilityMap
// Optimization strategy
OptimizationStrategy []AttributeOptimization
// Affecting policies
Policies []DecisionPolicy
}
EvaluatorOutput is an output of ConfigurationPoliciesEvaluator. Used by manager to decide which modules are deployed and in which cluster.
type OptimizationDirective ¶ added in v0.7.0
type OptimizationDirective string
+kubebuilder:validation:Enum=min;max
const ( Minimize OptimizationDirective = "min" Maximize OptimizationDirective = "max" )
List of directives
type OptimizationStrategy ¶ added in v0.7.0
type OptimizationStrategy struct {
Strategy []AttributeOptimization `json:"strategy"`
Policy DecisionPolicy `json:"policy"`
}
A list of attribute optimizations
type RegoPolicyEvaluator ¶
type RegoPolicyEvaluator struct {
Log zerolog.Logger
Query rego.PreparedEvalQuery
Mux *sync.RWMutex
}
RegoPolicyEvaluator implements EvaluatorInterface
func NewRegoPolicyEvaluator ¶
func NewRegoPolicyEvaluator() (*RegoPolicyEvaluator, error)
NewRegoPolicyEvaluator constructs a new RegoPolicyEvaluator object
func NewRegoPolicyEvaluatorWithQuery ¶ added in v0.7.0
func NewRegoPolicyEvaluatorWithQuery(query rego.PreparedEvalQuery) *RegoPolicyEvaluator
func (*RegoPolicyEvaluator) Evaluate ¶
func (r *RegoPolicyEvaluator) Evaluate(in *EvaluatorInput) (EvaluatorOutput, error)
Evaluate method evaluates the rego files based on the dynamic input object
func (*RegoPolicyEvaluator) GetOptions ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) GetOptions() monitor.FileMonitorOptions
Options for file monitor including the monitored directory and the relevant file extension
func (*RegoPolicyEvaluator) OnError ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) OnError(err error)
func (*RegoPolicyEvaluator) OnNotify ¶ added in v0.7.0
func (r *RegoPolicyEvaluator) OnNotify()
notification event: policy files have been changed
type Restriction ¶
type Restriction struct {
Property string `json:"property"`
Values StringList `json:"values,omitempty"`
Range *taxonomy.RangeType `json:"range,omitempty"`
}
func (Restriction) SatisfiedByResource ¶ added in v0.7.0
func (restrict Restriction) SatisfiedByResource(attrManager *infrastructure.AttributeManager, spec interface{}, instanceName string) bool
Validation of an object with respect to the admin config restriction
type Restrictions ¶
type Restrictions struct {
Clusters []Restriction `json:"clusters,omitempty"`
Modules []Restriction `json:"modules,omitempty"`
StorageAccounts []Restriction `json:"storageaccounts,omitempty"`
}
Deployment restrictions on modules, clusters and additional resources that will be added in the future
type RuleDecisionList ¶
type RuleDecisionList []DecisionPerCapability
A list of decisions, e.g. [{"capability": "read", "decision": {"deploy": "True"}}, {"capability": "write", "decision": {"deploy": "False"}}]
type StringList ¶ added in v0.7.0
type StringList []string
Restriction maps a property to a list of allowed values. Semantics is a disjunction of values, i.e. a type can be either plugin or config.
type WorkloadInfo ¶
type WorkloadInfo struct {
// Unique fybrikapplication id used for logging
UUID string `json:"uuid"`
// Policy set id to allow evaluation of a specific set of policies per fybrikapplication
PolicySetID string `json:"policySetID"`
// Cluster where the user workload is running
Cluster multicluster.Cluster `json:"cluster"`
// Application/workload properties
Properties taxonomy.AppInfo `json:"properties,omitempty"`
}
WorkloadInfo holds workload details such as the cluster where the workload is running, and additional properties defined in the taxonomy, e.g. workload type
Source Files