PatchBaseline

ssm.services.k8s.aws/v1alpha1

TypeLink
GoDocssm-controller/apis/v1alpha1#PatchBaseline

Metadata

PropertyValue
ScopeNamespaced
KindPatchBaseline
ListKindPatchBaselineList
Pluralpatchbaselines
Singularpatchbaseline

Spec

approvalRules: 
  patchRules:
  - approveAfterDays: integer
    approveUntilDate: string
    complianceLevel: string
    enableNonSecurity: boolean
    patchFilterGroup: 
      patchFilters:
      - key: string
        values:
        - string
approvedPatches:
- string
approvedPatchesComplianceLevel: string
approvedPatchesEnableNonSecurity: boolean
clientToken: string
description: string
globalFilters: 
  patchFilters:
  - key: string
    values:
    - string
name: string
operatingSystem: string
rejectedPatches:
- string
rejectedPatchesAction: string
sources:
- configuration: string
  name: string
  products:
  - string
tags:
- key: string
  value: string
FieldDescription
approvalRules
Optional		object
A set of rules used to include patches in the baseline.
approvalRules.patchRules
Optional		array
approvalRules.patchRules.[]
Required		object
Defines an approval rule for a patch baseline.
approvalRules.patchRules.[].approveUntilDate
Optional		string
approvalRules.patchRules.[].complianceLevel
Optional		string
approvalRules.patchRules.[].enableNonSecurity
Optional		boolean
approvalRules.patchRules.[].patchFilterGroup
Optional		object
A set of patch filters, typically used for approval rules.
approvalRules.patchRules.[].patchFilterGroup.patchFilters
Optional		array
approvalRules.patchRules.[].patchFilterGroup.patchFilters.[]
Required		object
Defines which patches should be included in a patch baseline.

A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS are PATCH_SET, PRODUCT, PRODUCT_FAMILY, CLASSIFICATION, and MSRC_SEVERITY.

The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT and the filter values are [“Office 2013”, “Office 2016”], then the filter accepts all patches where product name is either “Office 2013” or “Office 2016”. The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.

You can view lists of valid values for the patch properties by running the DescribePatchProperties command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties. || approvalRules.patchRules.[].patchFilterGroup.patchFilters.[].key
Optional | string
| | approvalRules.patchRules.[].patchFilterGroup.patchFilters.[].values
Optional | array
| | approvalRules.patchRules.[].patchFilterGroup.patchFilters.[].values.[]
Required | string
|| approvedPatches
Optional | array
A list of explicitly approved patches for the baseline.

For information about accepted formats for lists of approved patches and
rejected patches, see About package name formats for approved and rejected
patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html)
in the Amazon Web Services Systems Manager User Guide. | | approvedPatches.[]
Required | string
|| approvedPatchesComplianceLevel
Optional | string
Defines the compliance level for approved patches. When an approved patch
is reported as missing, this value describes the severity of the compliance
violation. The default value is UNSPECIFIED. | | approvedPatchesEnableNonSecurity
Optional | boolean
Indicates whether the list of approved patches includes non-security updates
that should be applied to the managed nodes. The default value is false.
Applies to Linux managed nodes only. | | clientToken
Optional | string
User-provided idempotency token. | | description
Optional | string
A description of the patch baseline. | | globalFilters
Optional | object
A set of global filters used to include patches in the baseline. | | globalFilters.patchFilters
Optional | array
| | globalFilters.patchFilters.[]
Required | object
Defines which patches should be included in a patch baseline.

A patch filter consists of a key and a set of values. The filter key is a patch property. For example, the available filter keys for WINDOWS are PATCH_SET, PRODUCT, PRODUCT_FAMILY, CLASSIFICATION, and MSRC_SEVERITY.

The filter values define a matching criterion for the patch property indicated by the key. For example, if the filter key is PRODUCT and the filter values are [“Office 2013”, “Office 2016”], then the filter accepts all patches where product name is either “Office 2013” or “Office 2016”. The filter values can be exact values for the patch property given as a key, or a wildcard (*), which matches all values.

You can view lists of valid values for the patch properties by running the DescribePatchProperties command. For information about which patch properties can be used with each major operating system, see DescribePatchProperties. || globalFilters.patchFilters.[].key
Optional | string
| | globalFilters.patchFilters.[].values
Optional | array
| | globalFilters.patchFilters.[].values.[]
Required | string
|| name
Required | string
The name of the patch baseline. | | operatingSystem
Optional | string
Defines the operating system the patch baseline applies to. The default value
is WINDOWS. | | rejectedPatches
Optional | array
A list of explicitly rejected patches for the baseline.

For information about accepted formats for lists of approved patches and
rejected patches, see About package name formats for approved and rejected
patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html)
in the Amazon Web Services Systems Manager User Guide. | | rejectedPatches.[]
Required | string
|| rejectedPatchesAction
Optional | string
The action for Patch Manager to take on patches included in the RejectedPackages
list.

* ALLOW_AS_DEPENDENCY : A package in the Rejected patches list is installed
only if it is a dependency of another package. It is considered compliant
with the patch baseline, and its status is reported as InstalledOther.
This is the default action if no option is specified.

* BLOCK : Packages in the RejectedPatches list, and packages that include
them as dependencies, aren’t installed under any circumstances. If a package
was installed before it was added to the Rejected patches list, it is
considered non-compliant with the patch baseline, and its status is reported
as InstalledRejected. | | sources
Optional | array
Information about the patches to use to update the managed nodes, including
target operating systems and source repositories. Applies to Linux managed
nodes only. | | sources.[]
Required | object
Information about the patches to use to update the managed nodes, including target operating systems and source repository. Applies to Linux managed nodes only. || sources.[].configuration
Optional | string
| | sources.[].name
Optional | string
| | sources.[].products
Optional | array
| | sources.[].products.[]
Required | string
|| tags
Optional | array
Optional metadata that you assign to a resource. Tags enable you to categorize
a resource in different ways, such as by purpose, owner, or environment.
For example, you might want to tag a patch baseline to identify the severity
level of patches it specifies and the operating system family it applies
to. In this case, you could specify the following key-value pairs:

* Key=PatchSeverity,Value=Critical

* Key=OS,Value=Windows

To add tags to an existing patch baseline, use the AddTagsToResource operation. | | tags.[]
Required | object
Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata. || tags.[].key
Optional | string
| | tags.[].value
Optional | string
|

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
baselineID: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
FieldDescription
ackResourceMetadata
Optional		object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional		string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required		string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required		string
Region is the AWS region in which the resource exists or will exist.
baselineID
Optional		string
The ID of the created patch baseline.
conditions
Optional		array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required		object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional		string
A human readable message indicating details about the transition.
conditions.[].reason
Optional		string
The reason for the condition’s last transition.
conditions.[].status
Optional		string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional		string
Type is the type of the Condition