feat: NetworkPolicy, ResourceQuota, LimitRange, ClusterRole, ClusterRoleBinding as first-class resource types#190
Merged
Conversation
…rRole, ClusterRoleBinding as first-class types Promotes five resource types from PlaceholderSource stubs to fully implemented Orkestra resources with Create/Update/Delete/CopyToNamespaces/Resolve support. ClusterRole and ClusterRoleBinding are cluster-scoped and cannot carry OwnerReferences to a namespace-scoped CR; ownership is tracked via the labels.OrkestraOwner label instead, matching the pattern used by Namespaces. Fixes IsEmpty() and FilterResources()/MergeFrom() to cover all five new types so motif expander and condition-based resource filtering handle them correctly.
NetworkPolicy profiles: deny-all, deny-all-ingress, deny-all-egress, allow-same-namespace, allow-dns-egress. ResourceQuota profiles: small (2 cpu / 4Gi), medium (4 cpu / 8Gi), large (8 cpu / 16Gi), xlarge (16 cpu / 32Gi). Profiles are applied in each resource package's Resolve() and are mutually exclusive with explicit inline fields.
…oad time
Adds CollectNetworkPolicyProfileEntries / CollectResourceQuotaProfileEntries
collectors and wires validateNetworkPolicyProfiles / validateResourceQuotaProfiles
into ValidateConfig as steps 30 and 31.
Unknown profile names and mixed profile+explicit-fields declarations are both
rejected with actionable error messages. Template expressions ({{ ... }}) are
deferred to reconcile time.
Also adds validateCrossNamespaceOps (step 32) which rejects katalogs where
fromNamespace is set without toNamespaces or vice versa.
Unit test coverage for all six profile validator families (HPA, PDB,
RollingUpdate, NetworkPolicy, ResourceQuota) and their underlying collectors.
…cy profile docs - documentation/reference/schema/02-katalog/16-resource-types.md: supported and not-yet-supported resource types, ClusterRole ownership note - documentation/concepts/profiles/08-resourcequota-profile.md: small/medium/ large/xlarge presets, mutual exclusivity rules, dynamic profile selection - documentation/concepts/profiles/09-networkpolicy-profile.md: all five profiles, layered composition example, how deny-all works - contributing-resources.md: updated tables to reflect the five newly implemented types
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
networkpolicy(deny-all, deny-all-ingress, deny-all-egress, allow-same-namespace, allow-dns-egress) andresourcequota(small, medium, large, xlarge).fromNamespace/toNamespacesare automatically filtered before the fake reconciler runs. A note is printed for each skipped resource. Previously these errored and blocked all subsequent resources in the cycle.ork validateUX: Simulate and Motif output now use the same header + description + structured fields format as Katalog and E2E.Notes
labels.OrkestraOwner, same pattern as Namespaces.fromNamespace/toNamespacescopy resources are silently skipped inork simulatewith an explanatory note; they are fully exercised byork e2e.Test plan
make orkpassesgo test ./pkg/types/... ./pkg/katalog/...— all new and existing tests passork validateon a katalog using NetworkPolicy and ResourceQuota profilesork simulatewith cross-namespace resources — PASS with skip note