×

POST /v1/policies

PostPolicy creates a new policy.

Description

Parameters

Body Parameter

Name Description Required Default Pattern

policy

StoragePolicy

X

Query Parameters

Name Description Required Default Pattern

enableStrictValidation

-

null

Return Type

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

StoragePolicy

0

An unexpected error response.

GooglerpcStatus

Samples

Common object reference

GooglerpcStatus

Field Name Required Nullable Type Description Format

code

Integer

int32

message

String

details

List of ProtobufAny

PolicyMitreAttackVectors

Field Name Required Nullable Type Description Format

tactic

String

techniques

List of string

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

@type

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

StorageBooleanOperator

Enum Values

OR

AND

StorageEnforcementAction

  • FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.

  • FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.

  • FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.

Enum Values

UNSET_ENFORCEMENT

SCALE_TO_ZERO_ENFORCEMENT

UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT

KILL_POD_ENFORCEMENT

FAIL_BUILD_ENFORCEMENT

FAIL_KUBE_REQUEST_ENFORCEMENT

FAIL_DEPLOYMENT_CREATE_ENFORCEMENT

FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT

StorageEventSource

Enum Values

NOT_APPLICABLE

DEPLOYMENT_EVENT

AUDIT_LOG_EVENT

StorageExclusion

Field Name Required Nullable Type Description Format

name

String

deployment

StorageExclusionDeployment

image

StorageExclusionImage

expiration

Date

date-time

StorageExclusionDeployment

Field Name Required Nullable Type Description Format

name

String

scope

StorageScope

StorageExclusionImage

Field Name Required Nullable Type Description Format

name

String

StorageLifecycleStage

Enum Values

DEPLOY

BUILD

RUNTIME

StoragePolicy

Next tag: 28
Field Name Required Nullable Type Description Format

id

String

name

String

Name of the policy. Must be unique.

description

String

Free-form text description of this policy.

rationale

String

remediation

String

Describes how to remediate a violation of this policy.

disabled

Boolean

Toggles whether or not this policy will be executing and actively firing alerts.

categories

List of string

List of categories that this policy falls under. Category names must already exist in Central.

lifecycleStages

List of StorageLifecycleStage

Describes which policy lifecylce stages this policy applies to. Choices are DEPLOY, BUILD, and RUNTIME.

eventSource

StorageEventSource

NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,

exclusions

List of StorageExclusion

Define deployments or images that should be excluded from this policy.

scope

List of StorageScope

Defines clusters, namespaces, and deployments that should be included in this policy. No scopes defined includes everything.

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

enforcementActions

List of StorageEnforcementAction

FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. Lists the enforcement actions to take when a violation from this policy is identified. Possible value are UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT.

notifiers

List of string

List of IDs of the notifiers that should be triggered when a violation from this policy is identified. IDs should be in the form of a UUID and are found through the Central API.

lastUpdated

Date

date-time

SORTName

String

For internal use only.

SORTLifecycleStage

String

For internal use only.

SORTEnforcement

Boolean

For internal use only.

policyVersion

String

policySections

List of StoragePolicySection

PolicySections define the violation criteria for this policy.

mitreAttackVectors

List of PolicyMitreAttackVectors

criteriaLocked

Boolean

Read-only field. If true, the policy’s criteria fields are rendered read-only.

mitreVectorsLocked

Boolean

Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.

isDefault

Boolean

Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

source

StoragePolicySource

IMPERATIVE, DECLARATIVE,

StoragePolicyGroup

Field Name Required Nullable Type Description Format

fieldName

String

Defines which field on a deployment or image this PolicyGroup evaluates. See https://docs.openshift.com/acs/operating/manage-security-policies.html#policy-criteria_manage-security-policies for a complete list of possible values.

booleanOperator

StorageBooleanOperator

OR, AND,

negate

Boolean

Determines if the evaluation of this PolicyGroup is negated. Default to false.

values

List of StoragePolicyValue

StoragePolicySection

Field Name Required Nullable Type Description Format

sectionName

String

policyGroups

List of StoragePolicyGroup

The set of policies groups that make up this section. Each group can be considered an individual criterion.

StoragePolicySource

Enum Values

IMPERATIVE

DECLARATIVE

StoragePolicyValue

Field Name Required Nullable Type Description Format

value

String

StorageScope

Field Name Required Nullable Type Description Format

cluster

String

namespace

String

label

StorageScopeLabel

StorageScopeLabel

Field Name Required Nullable Type Description Format

key

String

value

String

StorageSeverity

Enum Values

UNSET_SEVERITY

LOW_SEVERITY

MEDIUM_SEVERITY

HIGH_SEVERITY

CRITICAL_SEVERITY