Added env and fs policies

metalbear-co · Jan 15, 2025 · 1de86c6 · 1de86c6
1 parent 749bf78
commit 1de86c6
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 3 deletions.
diff --git a/mirrord-operator/Chart.yaml b/mirrord-operator/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.16.1
+version: 1.16.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/mirrord-operator/templates/crd.yaml b/mirrord-operator/templates/crd.yaml
@@ -19,18 +19,73 @@ spec:
         description: Auto-generated derived type for MirrordPolicySpec via `CustomResource`
         properties:
           spec:
-            description: Custom resource for policies that limit what mirrord features users can use.
+            description: |-
+              Custom resource for policies that limit what mirrord features users can use.
+
+              This policy applies only to resources living in the same namespace.
             properties:
               block:
                 description: List of features and operations blocked by this policy.
                 items:
-                  description: Features and operations that can be blocked by a `MirrordPolicy`.
+                  description: Features and operations that can be blocked by `mirrordpolicies` and `mirrordclusterpolicies`.
                   enum:
                   - steal
                   - steal-without-filter
                   - mirror
                   type: string
                 type: array
+              env:
+                default:
+                  exclude: []
+                description: Controls how mirrord-operator handles user requests to fetch environment variables from the target.
+                properties:
+                  exclude:
+                    default: []
+                    description: |-
+                      List of environment variables that should be excluded when using mirrord.
+
+                      These environment variables won't be retrieved from the target even if the user specifies them in their `feature.env.include` mirrord config.
+
+                      Variable names can be matched using `*` and `?` where `?` matches exactly one occurrence of any character and `*` matches arbitrary many (including zero) occurrences of any character, e.g. `DATABASE_*` will match `DATABASE_URL` and `DATABASE_PORT`.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              fs:
+                default:
+                  local: []
+                  notFound: []
+                  readOnly: []
+                description: Overrides fs ops behaviour, granting control over them to the operator policy, instead of the user config.
+                properties:
+                  local:
+                    default: []
+                    description: |-
+                      Files that cannot be opened at all.
+
+                      Opening the file will be rejected and mirrord will open the file locally instead.
+                    items:
+                      type: string
+                    type: array
+                  notFound:
+                    default: []
+                    description: |-
+                      Files that cannot be opened at all.
+
+                      Opening the file is rejected with an IO error.
+                    items:
+                      type: string
+                    type: array
+                  readOnly:
+                    default: []
+                    description: |-
+                      Files that cannot be opened for writing.
+
+                      Opening the file for writing is rejected with an IO error.
+                    items:
+                      type: string
+                    type: array
+                type: object
               selector:
                 description: If specified in a policy, the policy will only apply to targets with labels that match all of the selector's rules.
                 nullable: true
@@ -121,6 +176,58 @@ spec:
                   - mirror
                   type: string
                 type: array
+              env:
+                default:
+                  exclude: []
+                description: Controls how mirrord-operator handles user requests to fetch environment variables from the target.
+                properties:
+                  exclude:
+                    default: []
+                    description: |-
+                      List of environment variables that should be excluded when using mirrord.
+
+                      These environment variables won't be retrieved from the target even if the user specifies them in their `feature.env.include` mirrord config.
+
+                      Variable names can be matched using `*` and `?` where `?` matches exactly one occurrence of any character and `*` matches arbitrary many (including zero) occurrences of any character, e.g. `DATABASE_*` will match `DATABASE_URL` and `DATABASE_PORT`.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              fs:
+                default:
+                  local: []
+                  notFound: []
+                  readOnly: []
+                description: Overrides fs ops behaviour, granting control over them to the operator policy, instead of the user config.
+                properties:
+                  local:
+                    default: []
+                    description: |-
+                      Files that cannot be opened at all.
+
+                      Opening the file will be rejected and mirrord will open the file locally instead.
+                    items:
+                      type: string
+                    type: array
+                  notFound:
+                    default: []
+                    description: |-
+                      Files that cannot be opened at all.
+
+                      Opening the file is rejected with an IO error.
+                    items:
+                      type: string
+                    type: array
+                  readOnly:
+                    default: []
+                    description: |-
+                      Files that cannot be opened for writing.
+
+                      Opening the file for writing is rejected with an IO error.
+                    items:
+                      type: string
+                    type: array
+                type: object
               selector:
                 description: If specified in a policy, the policy will only apply to targets with labels that match all of the selector's rules.
                 nullable: true