Skip to content

Commit

Permalink
Fix policy docs for scopes
Browse files Browse the repository at this point in the history 
Signed-off-by: vshubhang <vshubhang@vmware.com>
  • Loading branch information
@Shubbhang351 @tenthirtyam
Shubbhang351 authored and tenthirtyam committed Nov 15, 2024
1 parent ad06a6a commit 4fed2bc
Show file tree
Hide file tree
Showing 12 changed files with 262 additions and 175 deletions.
65 changes: 34 additions & 31 deletions docs/resources/custom_policy.md
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
---
Title: "Custom Policy Resource"
Description: |-
Creating the Tanzu Kubernetes custom policy resource.
Creating the Tanzu Kubernetes custom policy resource.
---

# Custom Policy

The `tanzu-mission-control_custom_policy` resource enables you to attach one of the pre-defined custom policy recipes to a particular scope for management through Tanzu Mission Control.


## Input Recipe

In the Tanzu Mission Control custom policy resource, there are six system defined types of custom templates that you can use:

- **tmc-block-nodeport-service**
- **tmc-block-resources**
- **tmc-block-rolebinding-subjects**
Expand All @@ -23,6 +23,7 @@ In the Tanzu Mission Control custom policy resource, there are six system define
## Policy Scope and Inheritance

In the Tanzu Mission Control resource hierarchy, there are three levels at which you can specify custom policy resources:

- **organization** - `organization` block under `scope` sub-resource
- **object groups** - `cluster_group` block under `scope` sub-resource
- **Kubernetes objects** - `cluster` block under `scope` sub-resource
Expand Down Expand Up @@ -1292,12 +1293,13 @@ resource "tanzu-mission-control_custom_policy" "custom" {
```

<!-- schema generated by tfplugindocs -->

## Schema

### Required

- `name` (String) Name of the custom policy
- `scope` (Block List, Min: 1, Max: 1) Scope for the custom, security, image, network, namespace quota and mutation policy, having one of the valid scopes for custom, security, mutation, and namespace quota policy: cluster, cluster_group or organization and valid scopes for image and network policy: workspace or organization. (see [below for nested schema](#nestedblock--scope))
- `scope` (Block List, Min: 1, Max: 1) Scope for the custom, security, image, network and namespace quota policy, having one of the valid scopes for custom, security and namespace quota policy: cluster, cluster_group or organization and valid scopes for image and network policy: workspace or organization. (see [below for nested schema](#nestedblock--scope))
- `spec` (Block List, Min: 1, Max: 1) Spec for the custom policy (see [below for nested schema](#nestedblock--spec))

### Optional
Expand All @@ -1309,6 +1311,7 @@ resource "tanzu-mission-control_custom_policy" "custom" {
- `id` (String) The ID of this resource.

<a id="nestedblock--scope"></a>

### Nested Schema for `scope`

Optional:
Expand All @@ -1319,6 +1322,7 @@ Optional:
- `workspace` (Block List, Max: 1) The schema for workspace policy full name (see [below for nested schema](#nestedblock--scope--workspace))

<a id="nestedblock--scope--cluster"></a>

### Nested Schema for `scope.cluster`

Required:
Expand All @@ -1330,33 +1334,32 @@ Optional:
- `management_cluster_name` (String) Name of the management cluster
- `provisioner_name` (String) Provisioner of the cluster


<a id="nestedblock--scope--cluster_group"></a>

### Nested Schema for `scope.cluster_group`

Required:

- `cluster_group` (String) Name of this cluster group


<a id="nestedblock--scope--organization"></a>

### Nested Schema for `scope.organization`

Required:

- `organization` (String) ID of this organization


<a id="nestedblock--scope--workspace"></a>

### Nested Schema for `scope.workspace`

Required:

- `workspace` (String) Name of this workspace



<a id="nestedblock--spec"></a>

### Nested Schema for `spec`

Required:
Expand All @@ -1368,6 +1371,7 @@ Optional:
- `namespace_selector` (Block List, Max: 1) Label based Namespace Selector for the policy (see [below for nested schema](#nestedblock--spec--namespace_selector))

<a id="nestedblock--spec--input"></a>

### Nested Schema for `spec.input`

Optional:
Expand All @@ -1381,6 +1385,7 @@ Optional:
- `tmc_require_labels` (Block List, Max: 1) The input schema for custom policy tmc_require_labels recipe version v1 (see [below for nested schema](#nestedblock--spec--input--tmc_require_labels))

<a id="nestedblock--spec--input--custom"></a>

### Nested Schema for `spec.input.custom`

Required:
Expand All @@ -1394,16 +1399,16 @@ Optional:
- `parameters` (String) JSON encoded template parameters.

<a id="nestedblock--spec--input--custom--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.custom.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_block_nodeport_service"></a>

### Nested Schema for `spec.input.tmc_block_nodeport_service`

Required:
Expand All @@ -1415,16 +1420,16 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_block_nodeport_service--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_block_nodeport_service.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_block_resources"></a>

### Nested Schema for `spec.input.tmc_block_resources`

Required:
Expand All @@ -1436,16 +1441,16 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_block_resources--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_block_resources.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_block_rolebinding_subjects"></a>

### Nested Schema for `spec.input.tmc_block_rolebinding_subjects`

Required:
Expand All @@ -1458,33 +1463,33 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_block_rolebinding_subjects--parameters"></a>

### Nested Schema for `spec.input.tmc_block_rolebinding_subjects.parameters`

Required:

- `disallowed_subjects` (Block List, Min: 1) Disallowed Subjects. (see [below for nested schema](#nestedblock--spec--input--tmc_block_rolebinding_subjects--parameters--disallowed_subjects))

<a id="nestedblock--spec--input--tmc_block_rolebinding_subjects--parameters--disallowed_subjects"></a>

### Nested Schema for `spec.input.tmc_block_rolebinding_subjects.parameters.disallowed_subjects`

Required:

- `kind` (String) The kind of subject to disallow, can be User/Group/ServiceAccount.
- `name` (String) The name of the subject to disallow.



<a id="nestedblock--spec--input--tmc_block_rolebinding_subjects--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_block_rolebinding_subjects.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_external_ips"></a>

### Nested Schema for `spec.input.tmc_external_ips`

Required:
Expand All @@ -1497,24 +1502,24 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_external_ips--parameters"></a>

### Nested Schema for `spec.input.tmc_external_ips.parameters`

Required:

- `allowed_ips` (List of String) Allowed IPs.


<a id="nestedblock--spec--input--tmc_external_ips--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_external_ips.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_https_ingress"></a>

### Nested Schema for `spec.input.tmc_https_ingress`

Required:
Expand All @@ -1526,16 +1531,16 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_https_ingress--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_https_ingress.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).



<a id="nestedblock--spec--input--tmc_require_labels"></a>

### Nested Schema for `spec.input.tmc_require_labels`

Required:
Expand All @@ -1548,13 +1553,15 @@ Optional:
- `audit` (Boolean) Audit (dry-run).

<a id="nestedblock--spec--input--tmc_require_labels--parameters"></a>

### Nested Schema for `spec.input.tmc_require_labels.parameters`

Required:

- `labels` (Block List, Min: 1) Labels. (see [below for nested schema](#nestedblock--spec--input--tmc_require_labels--parameters--labels))

<a id="nestedblock--spec--input--tmc_require_labels--parameters--labels"></a>

### Nested Schema for `spec.input.tmc_require_labels.parameters.labels`

Required:
Expand All @@ -1565,27 +1572,25 @@ Optional:

- `value` (String) Optional label value to enforce (if left empty, only key will be enforced).



<a id="nestedblock--spec--input--tmc_require_labels--target_kubernetes_resources"></a>

### Nested Schema for `spec.input.tmc_require_labels.target_kubernetes_resources`

Required:

- `api_groups` (List of String) APIGroup is a group containing the resource type.
- `kinds` (List of String) Kind is the name of the object schema (resource type).




<a id="nestedblock--spec--namespace_selector"></a>

### Nested Schema for `spec.namespace_selector`

Required:

- `match_expressions` (Block List, Min: 1) Match expressions is a list of label selector requirements, the requirements are ANDed (see [below for nested schema](#nestedblock--spec--namespace_selector--match_expressions))

<a id="nestedblock--spec--namespace_selector--match_expressions"></a>

### Nested Schema for `spec.namespace_selector.match_expressions`

Required:
Expand All @@ -1597,10 +1602,8 @@ Optional:
- `key` (String) Key is the label key that the selector applies to
- `operator` (String) Operator represents a key's relationship to a set of values




<a id="nestedblock--meta"></a>

### Nested Schema for `meta`

Optional:
Expand Down
Loading

0 comments on commit 4fed2bc

Please sign in to comment.