Framework Management
By leveraging Shipa, you can quickly provision frameworks that automatically enforce governance policies when deploying applications.
apiVersion: shipa.crossplane.io/v1alpha1
kind: Framework
metadata:
name: cp-dev
spec:
forProvider:
shipaFramework: cp-dev
resources:
general:
setup:
default: false
provisioner: kubernetes
public: false
kubernetesNamespace: existing-namespace
router: nginx
plan:
name: "plan-name"
access:
append: ["shipa-team"]
nodeSelectors:
terms:
environment: team1
os: linux
strict: true
podAutoScaler:
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
disableAppOverride: true
domainPolicy:
allowedCnames:
- "*.example.com"
- "*.acme.bar"
appAutoDiscovery:
appSelector:
- label: app
suffix: ""
security:
disableScan: true
ignoreComponents: ["apt", "bash", "..."]
ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."]
networkPolicy:
ingress:
policy_mode: allow-custom-rules-only
custom_rules:
id: rule-name
description: "networking rule"
enabled: true
allowed_apps: ["app1", "app2", "app3", "appX"]
allowed_frameworks: ["fw1", "fw2]
ports:
port: 8080
protocol: TCP
port: 8081
protocol: TCP
egress:
policy_mode: allow-all
disableAppPolicies: false
containerPolicy:
allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"]
Top-Level Attributes
| Component | Type | Definition |
|---|---|---|
| apiVersion | string | the version of the API. |
| kind | string | the kind of custom resource that will be created by Shipa. Framework is the kind used by Shipa for creating applications. |
| metadata | the name of the custom resource that will be created by Shipa. | |
| spec | the specification that will be used by Shipa when creating the framework. |
Metadata
| Component | Type | Description |
|---|---|---|
| name | string | the name of the custom resource that will be created by Shipa. |
Specification
Component path: spec > forProvider
| Component | Type | Description |
|---|---|---|
| shipaFramework | string | the name of the framework that should be created by Shipa. Required: Yes |
| resources | the general settings that should be used by Shipa when creating the framework. Required: Yes |
General
Component path: spec > forProvider > resources > general
| Component | Type | Description |
|---|---|---|
| setup | defines the provisioner that should be used by the framework when deploying applications Required: Yes | |
| router | string | the router that should be assigned to the framework so an endpoint can automatically be created for the applications deployed through this framework. If not specified, Shipa will default to Traefik and automatically configure the Traefik as the ingress. Required: No Options: - istio - ngnix - traefik |
| plan | the name of the resource plan that should be used by this framework when applications are deployed through it. Required: No | |
| nodeSelector | limits which nodes can be used when applications are deployed using the framework. Required: No | |
| podAutoScaler | implements default autoscale rules for applications deployed using the framework. Required: No | |
| domainPolicy | limits the domains developers can use when adding CNAMEs to their applications. Required: No | |
| appAutoDiscovery | Discovers and displays on Shipa dashboard any existing applications. For this to work, you need to connect the framework to an existing namespace in your cluster by using the kubernetesNamespace property. Required: No | |
| security | defines the level of security scan that will be automatically run on every application deployed through this framework. Required: No | |
| networkPolicy | defines default network policies that will be assigned to every application deployed through this framework. Required: No | |
| containerPolicy | limits which container registries can be used when deploying applications to this framework. Required: No |
Setup
Component path: spec > forProvider > resources > general > setup
| Component | Type | Definition |
|---|---|---|
| default | boolean | when developers do not specify a framework to deploy their applications, the framework marked as default will be used automatically. Required: No |
| provisioner | string | the provisioner that should be used by this framework when deploying applications Options: - shipa - kubernetes Required: Yes Default: If not specified, Shipa will automatically assign Kubernetes. |
| public | boolean | if the framework should be publicly exposed to all teams available on Shipa. Required: No Default: If not specified, the framework will be private to a select group of teams |
| kubernetesNamespace | string | If you are connecting this framework to an existing namespace in your cluster, this should be the name of the existing namespace. Required: No Default: If not specified, Shipa will automatically create a new namespace for the framework once you connect this framework to a cluster. |
Resource Plan
Component path: spec > forProvider > resources > general > plan
| Component | Type | Description |
|---|---|---|
| name | string | the name of the resource plan that should be used by this framework when applications are deployed through it. If not specified, Shipa will use an existing plan that is exposed as default. Required: No |
Node Selector
Component path: spec > forProvider > resources > general > nodeSelector
| Component | Type | Description |
|---|---|---|
| terms | The combination of lable: value that Shipa should use when finding a node to deploy applications bound to the framework. Multiple options can be defined, one per line. Required: Yes | |
| strict | boolean | When specifying multiple values, users can enable strict to make sure Shipa finds nodes where all values are true. Required: Yes |
Pod Autoscaler
Component path: spec > forProvider > resources > general > podAutoScaler
| Component | Type | Description |
|---|---|---|
| minReplicas | int | the minimum number of replicas applications deployed using this framework should have. Required: Yes |
| maxReplicas | int | the maximum number of replicas applications deployed using this framework should have. Required: Yes |
| targetCPUUtilizationPercentage | int | the target CPU utilization that should trigger the auto scale rule for the application. Required: Yes |
| disableAppOverride | boolean | defines if the auto scale rule assigned automatically to the applications deployed using the framework can be changed post-deployment. Required: Yes |
Domain Policy
Component path: spec > forProvider > resources > general > domainPolicy
| Component | Type | Description |
|---|---|---|
| allowedCnames | string | one, or multiple, allowed domains developers can use to assign to their applications as CNAME. Required: Yes |
Application Discovery
Component path: spec > forProvider > resources > general > appAutoDiscovery
| Component | Type | Description |
|---|---|---|
| appSelector | string | the label that Shipa should look for when importing and exposing applications on the dashboard once the framework is connected to a cluster. For applications to be imported, the appSelector should be used together with the kubernetesNamespace option. Required: Yes |
| suffix | string | suffix that should be automatically added to an application name when imported. Required: No |
Security
Component path: spec > forProvider > resources > general > security
| Component | Type | Description |
|---|---|---|
| disableScan | bool | if application scanning should be disabled when applications are deployed using the framework. By default, unless changed, it will be enabled when creating the framework. Required: No |
| ignoreComponents | string | By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to through this framework. If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No |
| ignoreCves | string | By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework. If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here. Required: No |
Network Policy
Component path: spec > forProvider > resources > general > networkPolicy
| Component | Type | Description |
|---|---|---|
| ingress | ingress definition that will be accepted by applications deployed using the framework. if not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework. Required: No | |
| policy_mode | string | the policy mode that should be applied to applications deployed through the framework. Current options from this provider are: - allow-all - deny-all - allow-custom-rules-only Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| custom_rules | if policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
| id | string | the name of the custom rule. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| enabled | bool | if the custom rule is enabled by default or not when applications are deployed through the framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| description | string | The description of the custom rule being enforced by the framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| allowed_apps | string | the specific applications that applications deployed through the framework can receive ingress or ingress from. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| allowed_frameworks | string | allow traffic from applications deployed through this, or list of, frameworks. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| ports | port configuration where applications deployed through the framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
| port | int | The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| protocol | string | The specific protocol where applications deployed through the framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
| egress | egress definition that will be accepted by applications deployed using the framework. if not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework. Required: No | |
| disable_app_policies | bool | defines if application owners can change ingress and/or egress rules at the application-level post-deployment. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
Detailed network policies
Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.
Exporting the framework configuration, giving you your detailed network policy configuration in a file.
Container Policy
Component path: spec > forProvider > resources > general > containerPolicy
| Component | Type | Description |
|---|---|---|
| allowedHosts | string | the container registry (or list of) developers can use when deploying their applications through the framework. if not specified, developers will be able to deploy images from any container registry Required: No |
Updated about 1 year ago