Implement the Placement API (#30)

* Implement the Placement API

Sync changes from:
- open-cluster-management-io/ocm-kustomize-generator-plugins#3

Signed-off-by: Dale Haiducek <[email protected]>

* Evaluate symlinks to verify the paths

Signed-off-by: Dale Haiducek <[email protected]>

Author: dhaiducek

README.md

@@ -2,10 +2,13 @@
 
 ## Overview
 
-The Policy Generator constructs Open Cluster Management policies from Kubernetes YAML files provided through a PolicyGenerator Custom Resource. The Policy Generator is a binary compiled for use as a [kustomize](https://kustomize.io/) exec plugin.
+The Policy Generator constructs Open Cluster Management policies from Kubernetes YAML files provided
+through a PolicyGenerator Custom Resource. The Policy Generator is a binary compiled for use as a
+[kustomize](https://kustomize.io/) exec plugin.
 
 For more about Open Cluster Management and its Policy Framework:
-- [Open Cluster Management website](open-cluster-management.io/)
+
+- [Open Cluster Management website](https://open-cluster-management.io/)
 - [Governance Policy Framework](https://open-cluster-management.io/getting-started/integration/policy-framework/)
 - [Policy Collection repository](https://github.com/open-cluster-management/policy-collection)
 
@@ -23,70 +26,78 @@ For more about Open Cluster Management and its Policy Framework:
 
 2. Create the plugin directory:
 
-    ```bash
-    mkdir -p ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator
-    ```
+   ```bash
+   mkdir -p ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator
+   ```
 
 3. Move the binary to the plugin directory:
 
-    - Linux:
+   - Linux:
 
-        ```bash
-        chmod +x linux-amd64-PolicyGenerator
-        mv linux-amd64-PolicyGenerator ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator/PolicyGenerator
-        ```
+     ```bash
+     chmod +x linux-amd64-PolicyGenerator
+     mv linux-amd64-PolicyGenerator ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator/PolicyGenerator
+     ```
 
-    - MacOS:
+   - MacOS:
 
-        ```bash
-        chmod +x darwin-amd64-PolicyGenerator
-        mv darwin-amd64-PolicyGenerator ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator/PolicyGenerator
-        ```
+     ```bash
+     chmod +x darwin-amd64-PolicyGenerator
+     mv darwin-amd64-PolicyGenerator ${HOME}/.config/kustomize/plugin/policy.open-cluster-management.io/v1/policygenerator/PolicyGenerator
+     ```
 
 ##### Build and install from source
 
 1. Build the plugin binary (only needed once or to update the plugin):
-    ```bash
-    make build
-    ```
-    **NOTE:** This will default to placing the binary in `${HOME}/.config/kustomize/plugin/`. You can change this by exporting `KUSTOMIZE_PLUGIN_HOME` to a different path.
+   ```bash
+   make build
+   ```
+   **NOTE:** This will default to placing the binary in `${HOME}/.config/kustomize/plugin/`. You can
+   change this by exporting `KUSTOMIZE_PLUGIN_HOME` to a different path.
 
 #### Configuration
 
-1. Create a `kustomization.yaml` file that points to `PolicyGenerator` manifest(s), with any additional desired patches or customizations (see [`examples/policyGenerator.yaml`](./examples/policyGenerator.yaml) for an example):
-    ```yaml
-    generators:
-    - path/to/generator/file.yaml
-    ...
-    ```
-    - To read more about the `PolicyGenerator` YAML, see [About the PolicyGenerator plugin](./docs/policygenerator.md)
+1. Create a `kustomization.yaml` file that points to `PolicyGenerator` manifest(s), with any
+   additional desired patches or customizations (see
+   [`examples/policyGenerator.yaml`](./examples/policyGenerator.yaml) for an example):
+
+   ```yaml
+   generators:
+     - path/to/generator/file.yaml
+   ```
+
+   - To read more about the `PolicyGenerator` YAML, see
+     [About the PolicyGenerator plugin](./docs/policygenerator.md)
 
 2. To use the plugin to generate policies, do one of:
-    - Utilize the `examples/` directory in this repository (the directory can be modified by exporting a new path to `SOURCE_DIR`):
-      ```bash
-      make generate
-      ```
-    - From any directory with a `kustomization.yaml` file pointing to `PolicyGenerator` manifests:
-      ```bash
-      kustomize build --enable-alpha-plugins
-      ```
+   - Utilize the `examples/` directory in this repository (the directory can be modified by
+     exporting a new path to `SOURCE_DIR`):
+     ```bash
+     make generate
+     ```
+   - From any directory with a `kustomization.yaml` file pointing to `PolicyGenerator` manifests:
+     ```bash
+     kustomize build --enable-alpha-plugins
+     ```
 
 ### As a standalone binary
 
 In order to bypass Kustomize and run the generator binary directly:
 
 1. Build the binary:
-    ```bash
-    make build-binary
-    ```
+
+   ```bash
+   make build-binary
+   ```
 
 2. Run the binary from the location of the PolicyGenerator manifest(s):
-    ```bash
-    path/to/PolicyGenerator <path/to/file/1> ... <path/to/file/n>
-    ```
-    - For example:
-      ```bash
-      cd examples
-      ../PolicyGenerator policyGenerator.yaml
-      ```
-    **NOTE:** To print the trace in the case of an error, you can add the `--debug` flag to the arguments.
+   ```bash
+   path/to/PolicyGenerator <path/to/file/1> ... <path/to/file/n>
+   ```
+   - For example:
+     ```bash
+     cd examples
+     ../PolicyGenerator policyGenerator.yaml
+     ```
+     **NOTE:** To print the trace in the case of an error, you can add the `--debug` flag to the
+     arguments.

docs/policygenerator-reference.yaml

@@ -21,12 +21,11 @@ policyDefaults:
   # annotation. This defaults to ["CM-2 Baseline Configuration"].
   controls:
     - "CM-2 Baseline Configuration"
-  # Optional. This determines if a single configuration policy should be
-  # generated for all the manifests being wrapped in the policy.
-  # If set to false, a configuration policy per manifest will be generated.
-  # This defaults to true.
+  # Optional. This determines if a single configuration policy should be generated for all the
+  # manifests being wrapped in the policy. If set to false, a configuration policy per manifest will
+  # be generated. This defaults to true.
   consolidateManifests: true
-  # Optional. When the policy references a Kyverno policy manifest, this determines if an additonal
+  # Optional. When the policy references a Kyverno policy manifest, this determines if an additional
   # configuration policy should be generated in order to receive policy violations in Open Cluster
   # Management when the Kyverno policy has been violated. This defaults to true.
   informKyvernoPolicies: true
@@ -35,15 +34,22 @@ policyDefaults:
   # Optional. The placement configuration for the policies. This defaults to a placement
   # configuration that matches all clusters.
   placement:
-    # To specify a placement, specify key:value pair cluster selectors. (See placementRulePath to
-    # specify an existing file instead.)
+    # To specify a placement rule, specify key:value pair cluster selectors. (See placementRulePath
+    # to specify an existing file instead.)
     clusterSelectors: {}
+    # To specify a placement, specify key:value pair cluster label selectors. (See placementPath to
+    # specify an existing file instead.)
+    labelSelector: {}
     # Optional. Specifying a name will consolidate placement rules that contain the same cluster
     # selectors.
     name: ""
-    # To reuse an existing placement rule, specify the path here relative to the kustomization.yaml
-    # file. If given, this placement rule will be used by all policies by default. (See
-    # clusterSelectors to generate a new Placement instead.)
+    # To reuse an existing placement manifest, specify the path here relative to the
+    # kustomization.yaml file. If given, this placement will be used by all policies by default.
+    # (See clusterSelectors to generate a new Placement instead.)
+    placementPath: ""
+    # To reuse an existing placement rule manifest, specify the path here relative to the
+    # kustomization.yaml file. If given, this placement rule will be used by all policies by
+    # default. (See clusterSelectors to generate a new PlacementRule instead.)
     placementRulePath: ""
   # Optional. The remediation action ("inform" or "enforce") for each configuration policy. This
   # defaults to "inform".
@@ -58,14 +64,14 @@ policyDefaults:
 # Required. The list of policies to create along with overrides to either the default values or, if
 # set, the values given in policyDefaults.
 policies:
-  # Required. The name of the policy to create.
+    # Required. The name of the policy to create.
   - name: ""
     # Required. The list of Kubernetes resource object manifests to include in the policy.
     manifests:
-      # Required. Path to a single file or a flat directory of files relative to the
-      # kustomization.yaml file. This path cannot be in a directory outside of the directory with
-      # the kustomization.yaml file. Subdirectories within the directory with kustomization.yaml
-      # file are allowed.
+        # Required. Path to a single file or a flat directory of files relative to the
+        # kustomization.yaml file. This path cannot be in a directory outside of the directory with
+        # the kustomization.yaml file. Subdirectories within the directory with kustomization.yaml
+        # file are allowed.
       - path: ""
         # Optional. (See policy[0].complianceType for description.)
         complianceType: "musthave"

docs/policygenerator.md

@@ -18,10 +18,15 @@ generator plugin to be enabled.
 
 By default, a Placement and PlacementBinding are created for each policy with the policy name as the
 suffix. To signal that you'd like to consolidate policies that use the same Placement under a single
-PlacementBinding, either specify `placement.placementRulePath` to an existing Placement manifest or
-set `placement.name` along with `placement.clusterSelectors`. When the PlacementBinding is
-consolidated in this way, `placementBindingDefaults.name` must be specified so that the generator
-can create unique names for the bindings.
+PlacementBinding, either specify `placement.placementRulePath` to an existing Placement manifest or set
+`placement.name` along with `placement.clusterSelectors`. When the PlacementBinding is consolidated in
+this way, `placementBindingDefaults.name` must be specified so that the generator can create unique
+names for the bindings.
+
+The PlacementRule kind in the `apps.open-cluster-management.io` API group is used by default if no
+placement is given. However, you can use the Placement kind in the
+`cluster.open-cluster-management.io` API group by specifying a Placement manifest in
+`placement.placementPath` or specifying labels in `placement.labelSelector`.
 
 ## Policy expanders
 

examples/input/placement.yaml

@@ -0,0 +1,16 @@
+apiVersion: cluster.open-cluster-management.io/v1alpha1
+kind: Placement
+metadata:
+  labels:
+    custom: myApp
+  name: placement-red-hat-cloud
+  namespace: my-policies
+spec:
+  predicates:
+    requiredClusterSelector:
+      labelSelector:
+        matchExpressions:
+          - key: cloud
+            operator: In
+            values:
+              - red hat

examples/policyGenerator.yaml

@@ -6,6 +6,7 @@ placementBindingDefaults:
   name: my-placement-binding
 policyDefaults:
   # categories: []
+  # complianceType: "musthave"
   controls: 
     - PR.DS-1 Data-at-rest
   namespace: my-policies