Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
POST /v1/policies
PostPolicy creates a new policy.
Code | Message | Datatype |
---|---|---|
200 |
A successful response. |
|
0 |
An unexpected error response. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
tactic |
String |
||||
techniques |
List of |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
Example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
Example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. Example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. Example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
@type |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.
Enum Values |
---|
UNSET_ENFORCEMENT |
SCALE_TO_ZERO_ENFORCEMENT |
UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT |
KILL_POD_ENFORCEMENT |
FAIL_BUILD_ENFORCEMENT |
FAIL_KUBE_REQUEST_ENFORCEMENT |
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT |
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
deployment |
|||||
image |
|||||
expiration |
Date |
date-time |
Next tag: 28
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
Name of the policy. Must be unique. |
|||
description |
String |
Free-form text description of this policy. |
|||
rationale |
String |
||||
remediation |
String |
Describes how to remediate a violation of this policy. |
|||
disabled |
Boolean |
Toggles whether or not this policy will be executing and actively firing alerts. |
|||
categories |
List of |
List of categories that this policy falls under. Category names must already exist in Central. |
|||
lifecycleStages |
List of StorageLifecycleStage |
Describes which policy lifecylce stages this policy applies to. Choices are DEPLOY, BUILD, and RUNTIME. |
|||
eventSource |
NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT, |
||||
exclusions |
List of StorageExclusion |
Define deployments or images that should be excluded from this policy. |
|||
scope |
List of StorageScope |
Defines clusters, namespaces, and deployments that should be included in this policy. No scopes defined includes everything. |
|||
severity |
UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY, |
||||
enforcementActions |
List of StorageEnforcementAction |
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. Lists the enforcement actions to take when a violation from this policy is identified. Possible value are UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT. |
|||
notifiers |
List of |
List of IDs of the notifiers that should be triggered when a violation from this policy is identified. IDs should be in the form of a UUID and are found through the Central API. |
|||
lastUpdated |
Date |
date-time |
|||
SORTName |
String |
For internal use only. |
|||
SORTLifecycleStage |
String |
For internal use only. |
|||
SORTEnforcement |
Boolean |
For internal use only. |
|||
policyVersion |
String |
||||
policySections |
List of StoragePolicySection |
PolicySections define the violation criteria for this policy. |
|||
mitreAttackVectors |
List of PolicyMitreAttackVectors |
||||
criteriaLocked |
Boolean |
Read-only field. If true, the policy’s criteria fields are rendered read-only. |
|||
mitreVectorsLocked |
Boolean |
Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only. |
|||
isDefault |
Boolean |
Read-only field. Indicates the policy is a default policy if true and a custom policy if false. |
|||
source |
IMPERATIVE, DECLARATIVE, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
fieldName |
String |
Defines which field on a deployment or image this PolicyGroup evaluates. See https://docs.openshift.com/acs/operating/manage-security-policies.html#policy-criteria_manage-security-policies for a complete list of possible values. |
|||
booleanOperator |
OR, AND, |
||||
negate |
Boolean |
Determines if the evaluation of this PolicyGroup is negated. Default to false. |
|||
values |
List of StoragePolicyValue |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
sectionName |
String |
||||
policyGroups |
List of StoragePolicyGroup |
The set of policies groups that make up this section. Each group can be considered an individual criterion. |