Framework Management

By leveraging Shipa, you can quickly provision frameworks that automatically enforce governance policies when deploying applications.

apiVersion: shipa.crossplane.io/v1alpha1
kind: Framework
metadata:
  name: cp-dev
spec:
  forProvider:
    shipaFramework: cp-dev
    resources:
      general:
        setup:
          default: false
          provisioner: kubernetes
          public: false
          kubernetesNamespace: existing-namespace
        router: nginx
        plan:
          name: "plan-name"
        access:
          append: ["shipa-team"]
        nodeSelectors:
          terms:
            environment: team1
            os: linux
          strict: true
        podAutoScaler:
          minReplicas: 1
          maxReplicas: 10
          targetCPUUtilizationPercentage: 50
          disableAppOverride: true
        domainPolicy:
          allowedCnames:
            - "*.example.com"
            - "*.acme.bar"
        appAutoDiscovery:
          appSelector:
            - label: app
          suffix: "" 
        security:
          disableScan: true
          ignoreComponents: ["apt", "bash", "..."]
          ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."]
        networkPolicy:
          ingress:
            policy_mode: allow-custom-rules-only
              custom_rules:
                id: rule-name
                description: "networking rule"
                enabled: true
                allowed_apps: ["app1", "app2", "app3", "appX"]
                allowed_frameworks: ["fw1", "fw2]
                ports:
                   port: 8080
                   protocol: TCP
                   port: 8081
                   protocol: TCP
          egress:
            policy_mode: allow-all
          disableAppPolicies: false
        containerPolicy:
          allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"]

Top-Level Attributes

Component

Type

Definition

apiVersion

string

the version of the API.

kind

string

the kind of custom resource that will be created by Shipa.

Framework is the kind used by Shipa for creating applications.

metadata

the name of the custom resource that will be created by Shipa.

spec

the specification that will be used by Shipa when creating the framework.

Metadata

Component

Type

Description

name

string

the name of the custom resource that will be created by Shipa.

Specification

Component path: spec > forProvider

Component

Type

Description

shipaFramework

string

the name of the framework that should be created by Shipa.

Required: Yes

resources

the general settings that should be used by Shipa when creating the framework.

Required: Yes

General

Component path: spec > forProvider > resources > general

Component

Type

Description

setup

defines the provisioner that should be used by the framework when deploying applications

Required: Yes

router

string

the router that should be assigned to the framework so an endpoint can automatically be created for the applications deployed through this framework.

If not specified, Shipa will default to Traefik and automatically configure the Traefik as the ingress.

Required: No
Options:

  • istio
  • ngnix
  • traefik

plan

the name of the resource plan that should be used by this framework when applications are deployed through it.

Required: No

nodeSelector

limits which nodes can be used when applications are deployed using the framework.

Required: No

podAutoScaler

implements default autoscale rules for applications deployed using the framework.

Required: No

domainPolicy

limits the domains developers can use when adding CNAMEs to their applications.

Required: No

appAutoDiscovery

Discovers and displays on Shipa dashboard any existing applications.

For this to work, you need to connect the framework to an existing namespace in your cluster by using the kubernetesNamespace property.

Required: No

security

defines the level of security scan that will be automatically run on every application deployed through this framework.

Required: No

networkPolicy

defines default network policies that will be assigned to every application deployed through this framework.

Required: No

containerPolicy

limits which container registries can be used when deploying applications to this framework.

Required: No

Setup

Component path: spec > forProvider > resources > general > setup

Component

Type

Definition

default

boolean

when developers do not specify a framework to deploy their applications, the framework marked as default will be used automatically.

Required: No

provisioner

string

the provisioner that should be used by this framework when deploying applications

Options:

  • shipa
  • kubernetes

Required: Yes
Default: If not specified, Shipa will automatically assign Kubernetes.

public

boolean

if the framework should be publicly exposed to all teams available on Shipa.

Required: No
Default: If not specified, the framework will be private to a select group of teams

kubernetesNamespace

string

If you are connecting this framework to an existing namespace in your cluster, this should be the name of the existing namespace.

Required: No
Default: If not specified, Shipa will automatically create a new namespace for the framework once you connect this framework to a cluster.

Resource Plan

Component path: spec > forProvider > resources > general > plan

Component

Type

Description

name

string

the name of the resource plan that should be used by this framework when applications are deployed through it.

If not specified, Shipa will use an existing plan that is exposed as default.

Required: No

Node Selector

Component path: spec > forProvider > resources > general > nodeSelector

Component

Type

Description

terms

The combination of lable: value that Shipa should use when finding a node to deploy applications bound to the framework.

Multiple options can be defined, one per line.

Required: Yes

strict

boolean

When specifying multiple values, users can enable strict to make sure Shipa finds nodes where all values are true.

Required: Yes

Pod Autoscaler

Component path: spec > forProvider > resources > general > podAutoScaler

Component

Type

Description

minReplicas

int

the minimum number of replicas applications deployed using this framework should have.

Required: Yes

maxReplicas

int

the maximum number of replicas applications deployed using this framework should have.

Required: Yes

targetCPUUtilizationPercentage

int

the target CPU utilization that should trigger the auto scale rule for the application.

Required: Yes

disableAppOverride

boolean

defines if the auto scale rule assigned automatically to the applications deployed using the framework can be changed post-deployment.

Required: Yes

Domain Policy

Component path: spec > forProvider > resources > general > domainPolicy

Component

Type

Description

allowedCnames

string

one, or multiple, allowed domains developers can use to assign to their applications as CNAME.

Required: Yes

Application Discovery

Component path: spec > forProvider > resources > general > appAutoDiscovery

Component

Type

Description

appSelector

string

the label that Shipa should look for when importing and exposing applications on the dashboard once the framework is connected to a cluster.

For applications to be imported, the appSelector should be used together with the kubernetesNamespace option.

Required: Yes

suffix

string

suffix that should be automatically added to an application name when imported.

Required: No

Security

Component path: spec > forProvider > resources > general > security

Component

Type

Description

disableScan

bool

if application scanning should be disabled when applications are deployed using the framework.

By default, unless changed, it will be enabled when creating the framework.

Required: No

ignoreComponents

string

By default, if security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed to through this framework.

If there are specific components that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

ignoreCves

string

By default, if security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed to the framework.

If there are specific CVES that should be ignored by Shipa during deployments using this framework, they should be listed here.

Required: No

Network Policy

Component path: spec > forProvider > resources > general > networkPolicy

Component

Type

Description

ingress

ingress definition that will be accepted by applications deployed using the framework.

if not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed through the framework.

Required: No

policy_mode

string

the policy mode that should be applied to applications deployed through the framework.

Current options from this provider are:

  • allow-all
  • deny-all
  • allow-custom-rules-only

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

custom_rules

if policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

id

string

the name of the custom rule.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

enabled

bool

if the custom rule is enabled by default or not when applications are deployed through the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

description

string

The description of the custom rule being enforced by the framework.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

allowed_apps

string

the specific applications that applications deployed through the framework can receive ingress or ingress from.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

allowed_frameworks

string

allow traffic from applications deployed through this, or list of, frameworks.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

ports

port configuration where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

port

int

The specific port (or list of ports) where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

protocol

string

The specific protocol where applications deployed through the framework can accept ingress or egress.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

egress

egress definition that will be accepted by applications deployed using the framework.

if not defined, Shipa will automatically assign an allow-all egress policy for applications deployed through the framework.

Required: No

disable_app_policies

bool

defines if application owners can change ingress and/or egress rules at the application-level post-deployment.

Required: No
Condition: Only when policy_mode is set to allow-custom-rules-only

📘

Detailed network policies

Shipa enables you to define more granular network policies through its dashboard. If rules are overly complex, we recommend using the dashboard to define a sample framework and network policy.

Exporting the framework configuration, giving you your detailed network policy configuration in a file.

Container Policy

Component path: spec > forProvider > resources > general > containerPolicy

Component

Type

Description

allowedHosts

string

the container registry (or list of) developers can use when deploying their applications through the framework.

if not specified, developers will be able to deploy images from any container registry

Required: No


Did this page help you?