Policy CRD + cluster role rule (#25)

Closes #22

---------

Co-authored-by: Aviram Hassan <[email protected]>

mirrord-operator/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "3.71.0"
+appVersion: "3.72.0"

mirrord-operator/templates/cluster-role.yaml

@@ -48,6 +48,13 @@ rules:
   - userextras/oid
   verbs:
   - impersonate
+- apiGroups:
+  - policies.mirrord.metalbear.co
+  resources:
+  - mirrordpolicies
+  verbs:
+  - list
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

mirrord-operator/templates/crd.yaml

@@ -0,0 +1,86 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: mirrordpolicies.policies.mirrord.metalbear.co
+spec:
+  group: policies.mirrord.metalbear.co
+  names:
+    categories: []
+    kind: MirrordPolicy
+    plural: mirrordpolicies
+    shortNames: []
+    singular: mirrordpolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns: []
+    name: v1alpha
+    schema:
+      openAPIV3Schema:
+        description: Auto-generated derived type for MirrordPolicySpec via `CustomResource`
+        properties:
+          spec:
+            description: Custom resource for policies that limit what mirrord features users can use.
+            properties:
+              block:
+                description: List of features and operations blocked by this policy.
+                items:
+                  description: Features and operations that can be blocked by a `MirrordPolicy`.
+                  enum:
+                  - steal
+                  - steal-without-filter
+                  type: string
+                type: array
+              selector:
+                description: If specified in a policy, the policy will only apply to targets with labels that match all of the selector's rules.
+                nullable: true
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                          enum:
+                          - In
+                          - NotIn
+                          - Exists
+                          - DoesNotExist
+                          type: string
+                        values:
+                          description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    nullable: true
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    nullable: true
+                    type: object
+                type: object
+              targetPath:
+                description: Specify the targets for which this policy applies, in the pod/my-pod deploy/my-deploy notation. Targets can be matched using `*` and `?` where `?` matches exactly one occurrence of any character and `*` matches arbitrary many (including zero) occurrences of any character. If not specified, this policy does not depend on the target's path.
+                nullable: true
+                type: string
+            required:
+            - block
+            type: object
+        required:
+        - spec
+        title: MirrordPolicy
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+