Open Policy Agent Config Schema¶
Note
This is auto-generated documentation from a JSON schema that is under construction, this will improve over time.
Return to the root config schema
https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/properties/opa
Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper.
Compliant Kubernetes contains multiple safeguards to make it easy to follow security best practices.
This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards.
| Abstract | Extensible | Status | Identifiable | Custom Properties | Additional Properties | Access Restrictions | Defined In |
|---|---|---|---|---|---|---|---|
| Can be instantiated | No | Unknown status | No | Forbidden | Forbidden | none | config/schemas/config.yaml* |
TYPE:
object (Open Policy Agent Config)
PROPERTIES:
auditChunkSize¶
auditChunkSize
-
is optional
-
Type:
number(Gatekeeper Audit Chunk Size) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
number (Gatekeeper Audit Chunk Size)
DEFAULTS:
The default value is:
500
auditFromCache¶
auditFromCache
-
is optional
-
Type:
boolean(Gatekeeper Audit From Cache) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
boolean (Gatekeeper Audit From Cache)
auditIntervalSeconds¶
auditIntervalSeconds
-
is optional
-
Type:
number(Gatekeeper Audit Interval) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
number (Gatekeeper Audit Interval)
DEFAULTS:
The default value is:
600
constraintViolationsLimit¶
constraintViolationsLimit
-
is optional
-
Type:
number(Gatekeeper Audit Constraints Violation Limits) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
number (Gatekeeper Audit Constraints Violation Limits)
DEFAULTS:
The default value is:
20
disallowedTags¶
Configure constraint to disallow configured tags on container images.
Note
See the dev docs for context.
disallowedTags
-
is optional
-
Type:
object(Safeguard Disallowed Tags) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Disallowed Tags)
imageRegistry¶
Configure constraint to only allow configured registries for container images.
Note
See the dev docs for context.
imageRegistry
-
is optional
-
Type:
object(Safeguard Trusted Registries) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Trusted Registries)
minimumDeploymentReplicas¶
Configure constraint to only allow Deployments and StatefulSets with more than one replica.
Note
See the dev docs for context.
minimumDeploymentReplicas
-
is optional
-
Type:
object(Safeguard Minimum Replicas) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Minimum Replicas)
networkPolicies¶
Configure constraint to only allow Pods targeted by NetworkPolicies.
Note
See the dev docs for context.
networkPolicies
-
is optional
-
Type:
object(Safeguard Network Policies) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Network Policies)
rejectLoadBalancerService¶
Configure constraint to reject creation of Services with the type LoadBalancer.
Advantageous if the cluster cannot automatically provision LoadBalancers, e.g. because the infrastructure provider do not offer such Kubernetes integration.
Note
See the dev docs for context.
rejectLoadBalancerService
-
is optional
-
Type:
object(Safeguard Reject Load Balancer Service) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Reject Load Balancer Service)
resourceRequests¶
Configure constraint to only allow Pods configured with resource requests.
Note
See the dev docs for context.
resourceRequests
-
is optional
-
Type:
object(Safeguard Resource Requests) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Safeguard Resource Requests)
mutations¶
Configure mutations to set defaults in deployed resources.
mutations
-
is optional
-
Type:
object(Mutations) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Mutations)
audit¶
Configure the Audit deployment of OPA Gatekeeper.
audit
-
is optional
-
Type:
object(OPA Gatekeeper Audit) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (OPA Gatekeeper Audit)
controllerManager¶
This is meant to describe the base class if you will, for ck8s resources.
controllerManager
-
is optional
-
Type:
object(Common Resource) -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
object (Common Resource)
mutatingWebhookTimeoutSeconds¶
mutatingWebhookTimeoutSeconds
-
is optional
-
Type:
number -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
number
DEFAULTS:
The default value is:
5
validatingWebhookTimeoutSeconds¶
validatingWebhookTimeoutSeconds
-
is optional
-
Type:
number -
cannot be null
-
defined in: Compliant Kubernetes Apps Config
TYPE:
number
DEFAULTS:
The default value is:
5
Return to the root config schema
Generated Sat Jun 22 03:48:20 UTC 2024 from elastisys/compliantkubernetes-apps@main