qontract-reconcile 0.10.1rc505__py3-none-any.whl → 0.10.1rc507__py3-none-any.whl

{qontract_reconcile-0.10.1rc505.dist-info → qontract_reconcile-0.10.1rc507.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc505
+Version: 0.10.1rc507
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc505.dist-info → qontract_reconcile-0.10.1rc507.dist-info}/RECORD

@@ -1,5 +1,6 @@
 reconcile/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/acs_rbac.py,sha256=Jr9qIR1VjH16xpADZqjkigqsDW7iDnMD9nn7GxU4z0Y,23828
+reconcile/acs_policies.py,sha256=Mop44Z5T0DxXghme13ZVvy1hr5KphZKzc_ZevxAJBQ0,8784
+reconcile/acs_rbac.py,sha256=YoKu5wTRTtb3EGT0PV3r279LDgvw2ECb-0_0j4suScg,23032
 reconcile/aws_ami_share.py,sha256=eeu0TI3M5yyUaozyAq_aW3tir-9be4YFguOXvIvKHSo,3757
 reconcile/aws_ecr_image_pull_secrets.py,sha256=TGEc_0nv8oxV2HqA8VdcM4HHP-B1YqmNOOU6FPwVFTY,2328
 reconcile/aws_garbage_collector.py,sha256=ddwU8IKTueAJc0TzymcREr7hcoVui9kOGvdH1B2EcuM,450
@@ -8,7 +9,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=bI6iACTMbjI3hngvhIl1L6PqY-k2XfkVunLV95yGPSk,82112
+reconcile/cli.py,sha256=3IRugyi6JemMe5RhL5gGiAycQHdFb-9hB989BeT2Tw0,82390
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -165,6 +166,7 @@ reconcile/glitchtip_project_dsn/integration.py,sha256=PlOsRaaftzODZE_uf1I-XSM732
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
+reconcile/gql_definitions/acs/acs_policies.py,sha256=Z6Z7duvS9W4cbciBED4oK40Vg9QyYti3zXvoEXM-fak,4422
 reconcile/gql_definitions/acs/acs_rbac.py,sha256=cZsIlCWliPQdQHgmBsIMx54fJNOtkdRXLzmOKZmJNHk,3009
 reconcile/gql_definitions/advanced_upgrade_service/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/advanced_upgrade_service/aus_clusters.py,sha256=2-OnknXDUI2pnZknEmjzMPBXUpWStoE32lpQQStobao,4221
@@ -368,7 +370,8 @@ reconcile/templates/jira-checkpoint-missinginfo.j2,sha256=c_Vvg-lEENsB3tgxm9B6Y9
 reconcile/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/test/conftest.py,sha256=rQousYrxUz-EwAIbsYO6bIwR1B4CrOz9y_zaUVo2lfI,4466
 reconcile/test/fixtures.py,sha256=9SDWAUlSd1rCx7z3GhULHcpr-I6FyCsXxaFAZIqYQsQ,591
-reconcile/test/test_acs_rbac.py,sha256=BADHTYfXBkoge5Tl4DOoh3pwU7EsN4yzLIy3gNQ8XHM,28409
+reconcile/test/test_acs_policies.py,sha256=52pZXzsLZXsvWoFW7IgP1nGjQw9a2Pd3axjfRHWUUfc,15083
+reconcile/test/test_acs_rbac.py,sha256=lvNd8GY0-GHzcOdOn13QWdrqbBXXKzNT7EEDHNH7cjM,28272
 reconcile/test/test_aggregated_list.py,sha256=iiWitQuNYC58aimWaiBoE4NROHjr1NCgQ91MnHEG_Ro,6412
 reconcile/test/test_amtool.py,sha256=vxRhGieeydMBOb9UI2ziMHjJa8puMeGNsUhGhy-yMnk,1032
 reconcile/test/test_aws_ami_cleanup.py,sha256=cHumkZD33vIIblNbrMKNCva-WeE3sMv8kiFA0A96wwk,8733
@@ -502,7 +505,6 @@ reconcile/typed_queries/app_interface_metrics_exporter/onboarding_status.py,sha2
 reconcile/typed_queries/terraform_tgw_attachments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/typed_queries/terraform_tgw_attachments/aws_accounts.py,sha256=T5HSeyBcGKP-LzDmIzs-WlBwOtSenYpm0Odw5--xdOg,410
 reconcile/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/utils/acs_api.py,sha256=AworbL61gIzw1asDaz0A1qbuZ2QDupF_EfrjQhXCCc8,10020
 reconcile/utils/aggregated_list.py,sha256=pkYoBj7WwmaNgEefETqEOFTnQMcUzHE3mdsVdzGYj60,3372
 reconcile/utils/amtool.py,sha256=JV5-to_e_FaIcvJWTKYA9d6L3LwzwijM0MjUWn83eD4,2204
 reconcile/utils/aws_api.py,sha256=I6a_-aW1ptL8287I-6GnAdtavjjYMMsMeNHMT3WwA_I,65033
@@ -633,7 +635,7 @@ reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79
 reconcile/utils/terraform/config_client.py,sha256=py-Ree-QUYD6Hvng6bM40VgSuttteehIKNgwOSoJO1o,4706
 reconcile/utils/terrascript/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/utils/terrascript/cloudflare_client.py,sha256=EOmAnrgSUZz-UZB7x6TFd4WGk0huWZm2hh29Cueiyr8,10278
-reconcile/utils/terrascript/cloudflare_resources.py,sha256=ZvmFqE-Atki6ehMA4iirYqpml4bCPHdddq8lu58udGA,15952
+reconcile/utils/terrascript/cloudflare_resources.py,sha256=FXeMlm3nVfaNBabyhC654D-MkHTTTr7rh4BHNCwoXZA,15996
 reconcile/utils/terrascript/models.py,sha256=x9HReI0k71MHBpRTvvmPlE0G6rri5GTzPXM9cqyTWm0,475
 reconcile/utils/terrascript/resources.py,sha256=bQzglnO41KZZEIeXYgi-qlup1p8R03Qyx_V944LRPsc,1391
 release/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -655,8 +657,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=d18KrdhtUGqoC7_kWZU128U0-VJEj-0rjFkLVufcI6I,2755
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc505.dist-info/METADATA,sha256=9vvQJsGEq4_oKtbivKJzIUMooQaoA4ewVRMXfA-yUNY,2349
-qontract_reconcile-0.10.1rc505.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc505.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc505.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc505.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc507.dist-info/METADATA,sha256=MFhlaeZXsE2DxlrU5_8jeDSAc67WNz_TKbo_tydbkmE,2349
+qontract_reconcile-0.10.1rc507.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc507.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc507.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc507.dist-info/RECORD,,

reconcile/acs_policies.py

@@ -0,0 +1,232 @@
+import logging
+from collections.abc import Callable
+from typing import cast
+
+import reconcile.gql_definitions.acs.acs_policies as gql_acs_policies
+from reconcile.gql_definitions.acs.acs_policies import (
+    AcsPolicyConditionsV1,
+    AcsPolicyV1,
+)
+from reconcile.typed_queries.app_interface_vault_settings import (
+    get_app_interface_vault_settings,
+)
+from reconcile.utils import gql
+from reconcile.utils.acs.policies import AcsPolicyApi, Policy, PolicyCondition, Scope
+from reconcile.utils.differ import diff_iterables
+from reconcile.utils.runtime.integration import (
+    NoParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.utils.semver_helper import make_semver
+
+# proceeding constants map schema enum values to corresponding acs api defaults
+POLICY_CATEGORIES = {
+    "anomalous-activity": "Anomalous Activity",
+    "devops-best-practices": "DevOps Best Practices",
+    "kubernetes": "Kubernetes",
+    "privileges": "Privileges",
+    "security-best-practices": "Security Best Practices",
+    "vulnerability-management": "Vulnerability Management",
+}
+
+POLICY_CONDITION_COMPARISONS = {
+    "gt": ">",
+    "gte": ">=",
+    "eq": "",
+    "lt": "<",
+    "lte": "<=",
+}
+
+POLICY_CONDITION_FIELD_NAMES = {
+    "cvss": "CVSS",
+    "severity": "Severity",
+    "imageTag": "Image Tag",
+    "imageAge": "Image Age",
+    "cve": "Fixable",
+}
+
+
+class AcsPoliciesIntegration(QontractReconcileIntegration[NoParams]):
+    def __init__(self) -> None:
+        super().__init__(NoParams())
+        self.qontract_integration = "acs_policies"
+        self.qontract_integration_version = make_semver(0, 1, 0)
+
+    @property
+    def name(self) -> str:
+        return self.qontract_integration.replace("_", "-")
+
+    def _build_policy(
+        self, gql_policy: AcsPolicyV1, notifier_name_to_id: dict[str, str]
+    ) -> Policy:
+        conditions = [
+            pc for c in gql_policy.conditions if (pc := self._build_policy_condition(c))
+        ]
+        return Policy(
+            name=gql_policy.name,
+            description=gql_policy.description,
+            notifiers=sorted([notifier_name_to_id[n] for n in gql_policy.notifiers])
+            if gql_policy.notifiers
+            else [],
+            severity=f"{gql_policy.severity.upper()}_SEVERITY",  # align with acs api severity value format
+            scope=sorted(
+                [
+                    Scope(cluster=cs.name, namespace="")
+                    for cs in cast(
+                        gql_acs_policies.AcsPolicyScopeClusterV1,
+                        gql_policy.scope,
+                    ).clusters
+                ],
+                key=lambda s: s.cluster,
+            )
+            if gql_policy.scope.level == "cluster"
+            else sorted(
+                [
+                    Scope(cluster=ns.cluster.name, namespace=ns.name)
+                    for ns in cast(
+                        gql_acs_policies.AcsPolicyScopeNamespaceV1,
+                        gql_policy.scope,
+                    ).namespaces
+                ],
+                key=lambda s: s.cluster,
+            ),
+            categories=sorted([POLICY_CATEGORIES[pc] for pc in gql_policy.categories]),
+            conditions=conditions,
+        )
+
+    def _build_policy_condition(
+        self, condition: AcsPolicyConditionsV1
+    ) -> PolicyCondition | None:
+        field_name = POLICY_CONDITION_FIELD_NAMES[condition.policy_field]
+        match condition.policy_field:
+            case "cvss":
+                cvss_condition = cast(
+                    gql_acs_policies.AcsPolicyConditionsCvssV1, condition
+                )
+                return PolicyCondition(
+                    field_name=field_name,
+                    negate=False,
+                    values=[
+                        f"{POLICY_CONDITION_COMPARISONS[cvss_condition.comparison]}{cvss_condition.score}"
+                    ],
+                )
+            case "severity":
+                severity_condition = cast(
+                    gql_acs_policies.AcsPolicyConditionsSeverityV1, condition
+                )
+                return PolicyCondition(
+                    field_name=field_name,
+                    negate=False,
+                    values=[
+                        f"{POLICY_CONDITION_COMPARISONS[severity_condition.comparison]}{severity_condition.level.upper()}"
+                    ],
+                )
+            case "cve":
+                cve_condition = cast(
+                    gql_acs_policies.AcsPolicyConditionsCveV1, condition
+                )
+                return PolicyCondition(
+                    field_name=field_name,
+                    negate=False,
+                    values=[str(cve_condition.fixable).lower()],
+                )
+            case "image_tag":
+                image_tag_condition = cast(
+                    gql_acs_policies.AcsPolicyConditionsImageTagV1, condition
+                )
+                return PolicyCondition(
+                    field_name=field_name,
+                    # negate utilized to enforce policy in which image tag should not be any
+                    # defined in list of values
+                    negate=image_tag_condition.negate or False,
+                    values=image_tag_condition.tags,
+                )
+            case "image_age":
+                image_age_condition = cast(
+                    gql_acs_policies.AcsPolicyConditionsImageAgeV1, condition
+                )
+                return PolicyCondition(
+                    field_name=field_name,
+                    negate=False,
+                    values=[str(image_age_condition.days)],
+                )
+            case _:
+                logging.warning(
+                    "unsupported policyField encountered: %s", condition.policy_field
+                )
+                return None
+
+    def get_desired_state(
+        self, query_func: Callable, notifiers: list[AcsPolicyApi.NotifierIdentifiers]
+    ) -> list[Policy]:
+        """
+        Get desired ACS security policies and convert to acs api policy object format
+
+        :param query_func: function which queries GQL server
+        :return: list of utils.acs.policies.Policy derived from acs-policy-1 definitions
+        """
+        notifier_name_to_id = {n.name: n.id for n in notifiers}
+        return [
+            self._build_policy(gql_policy, notifier_name_to_id)
+            for gql_policy in gql_acs_policies.query(query_func=query_func).acs_policies
+            or []
+        ]
+
+    def reconcile(
+        self,
+        desired: list[Policy],
+        current: list[Policy],
+        acs: AcsPolicyApi,
+        dry_run: bool,
+    ) -> None:
+        errors = []
+        diff = diff_iterables(current=current, desired=desired, key=lambda x: x.name)
+        for a in diff.add.values():
+            logging.info("Create policy: %s", a.name)
+            if not dry_run:
+                try:
+                    acs.create_or_update_policy(desired=a)
+                except Exception as e:
+                    errors.append(e)
+        if diff.delete or diff.change:
+            policy_id_by_name = {p["name"]: p["id"] for p in acs.list_custom_policies()}
+            for d in diff.delete.values():
+                logging.info("Delete policy: %s", d.name)
+                if not dry_run:
+                    try:
+                        acs.delete_policy(policy_id_by_name[d.name])
+                    except Exception as e:
+                        errors.append(e)
+            for c in diff.change.values():
+                logging.info("Update policy: %s", c.desired.name)
+                if not dry_run:
+                    try:
+                        acs.create_or_update_policy(
+                            desired=c.desired, id=policy_id_by_name[c.current.name]
+                        )
+                    except Exception as e:
+                        errors.append(e)
+        if errors:
+            raise ExceptionGroup("Reconcile errors occurred", errors)
+
+    def run(
+        self,
+        dry_run: bool,
+    ) -> None:
+        gqlapi = gql.get_api()
+        instance = AcsPolicyApi.get_acs_instance(gqlapi.query)
+
+        vault_settings = get_app_interface_vault_settings()
+        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+        token = secret_reader.read_all_secret(instance.credentials)
+
+        with AcsPolicyApi(
+            instance={"url": instance.url, "token": token[instance.credentials.field]}
+        ) as acs_api:
+            notifiers = acs_api.list_notifiers()
+            desired = self.get_desired_state(gqlapi.query, notifiers)
+            current = acs_api.get_custom_policies()
+            self.reconcile(
+                desired=desired, current=current, acs=acs_api, dry_run=dry_run
+            )

reconcile/acs_rbac.py

@@ -8,24 +8,17 @@ from typing import (
 
 from pydantic import BaseModel
 
-from reconcile.gql_definitions.acs.acs_instances import AcsInstanceV1
-from reconcile.gql_definitions.acs.acs_instances import query as acs_instances_query
 from reconcile.gql_definitions.acs.acs_rbac import OidcPermissionAcsV1
 from reconcile.gql_definitions.acs.acs_rbac import query as acs_rbac_query
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.utils import gql
-from reconcile.utils.acs_api import (
-    AcsApi,
-    Group,
-    RbacResources,
-)
+from reconcile.utils.acs.rbac import AcsRbacApi, Group, RbacResources
 from reconcile.utils.differ import (
     DiffPair,
     diff_iterables,
 )
-from reconcile.utils.exceptions import AppInterfaceSettingsError
 from reconcile.utils.runtime.integration import (
     NoParams,
     QontractReconcileIntegration,
@@ -143,20 +136,6 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
     def name(self) -> str:
         return self.qontract_integration.replace("_", "-")
 
-    def get_acs_instance(self, query_func: Callable) -> AcsInstanceV1:
-        """
-        Get an ACS instance
-
-        :param query_func: function which queries GQL Server
-        """
-        if instances := acs_instances_query(query_func=query_func).instances:
-            # mirroring logic for gitlab instances
-            # current assumption is for appsre to only utilize one instance
-            if len(instances) != 1:
-                raise AppInterfaceSettingsError("More than one ACS instance found!")
-            return instances[0]
-        raise AppInterfaceSettingsError("No ACS instance found!")
-
     def get_desired_state(self, query_func: Callable) -> list[AcsRole]:
         """
         Get desired ACS roles and associated users from App Interface
@@ -255,7 +234,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
     def add_rbac_for_role(
         self,
         role: AcsRole,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         admin_access_scope_id: str,
         permission_set_id: str,
         auth_id: str,
@@ -298,7 +277,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
 
         if not dry_run:
             additions = [
-                AcsApi.GroupAdd(
+                AcsRbacApi.GroupAdd(
                     role_name=role.name,
                     key=a.key,
                     value=a.value,
@@ -317,7 +296,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         self,
         to_add: dict[str, AcsRole],
         rbac_api_resources: RbacResources,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         auth_id: str,
         dry_run: bool,
     ) -> list[Exception]:
@@ -351,7 +330,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
     def delete_rbac_for_role(
         self,
         role: AcsRole,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         access_scope_id: str,
         admin_access_scope_id: str,
         groups: list[Group],
@@ -394,7 +373,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         self,
         to_delete: dict[str, AcsRole],
         rbac_api_resources: RbacResources,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         auth_id: str,
         dry_run: bool,
     ) -> list[Exception]:
@@ -430,7 +409,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
     def update_rbac_for_role(
         self,
         role_diff_pair: DiffPair[AcsRole, AcsRole],
-        acs: AcsApi,
+        acs: AcsRbacApi,
         role_group_mappings: dict[str, dict[str, Group]],
         access_scope_id: str,
         permission_set_id: str,
@@ -465,7 +444,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
                 for d in diff.delete.values()
             ]
             new = [
-                AcsApi.GroupAdd(
+                AcsRbacApi.GroupAdd(
                     role_name=role_diff_pair.desired.name,
                     key=a.key,
                     value=a.value,
@@ -513,7 +492,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         self,
         to_update: dict[str, DiffPair[AcsRole, AcsRole]],
         rbac_api_resources: RbacResources,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         auth_id: str,
         dry_run: bool,
     ) -> list[Exception]:
@@ -558,7 +537,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         desired: list[AcsRole],
         current: list[AcsRole],
         rbac_api_resources: RbacResources,
-        acs: AcsApi,
+        acs: AcsRbacApi,
         auth_provider_id: str,
         dry_run: bool,
     ) -> None:
@@ -602,7 +581,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         dry_run: bool,
     ) -> None:
         gqlapi = gql.get_api()
-        instance = self.get_acs_instance(gqlapi.query)
+        instance = AcsRbacApi.get_acs_instance(gqlapi.query)
 
         vault_settings = get_app_interface_vault_settings()
         secret_reader = create_secret_reader(use_vault=vault_settings.vault)
@@ -610,7 +589,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
 
         desired = self.get_desired_state(gqlapi.query)
 
-        with AcsApi(
+        with AcsRbacApi(
             instance={"url": instance.url, "token": token[instance.credentials.field]}
         ) as acs_api:
             rbac_api_resources = acs_api.get_rbac_resources()

reconcile/cli.py

@@ -2952,6 +2952,17 @@ def acs_rbac(ctx):
     )
 
 
+@integration.command(short_help="Manages RHACS security policy configurations")
+@click.pass_context
+def acs_policies(ctx):
+    from reconcile import acs_policies
+
+    run_class_integration(
+        integration=acs_policies.AcsPoliciesIntegration(),
+        ctx=ctx.obj,
+    )
+
+
 def get_integration_cli_meta() -> dict[str, IntegrationMeta]:
     """
     returns all integrations known to cli.py via click introspection

reconcile/gql_definitions/acs/acs_policies.py

@@ -0,0 +1,159 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query AcsPolicy {
+  acs_policies: acs_policy_v1 {
+   	name
+    description
+    severity
+    notifiers
+    categories
+    scope {
+      level
+      ... on AcsPolicyScopeCluster_v1 {
+				clusters {
+          name
+        }        
+      }
+      ... on AcsPolicyScopeNamespace_v1 {
+       	namespaces {
+          name
+          cluster {
+            name
+          }
+        }
+      }
+    }
+	  conditions {
+      policyField
+      ... on AcsPolicyConditionsCvss_v1 {
+        comparison
+        score
+      }
+      ... on AcsPolicyConditionsSeverity_v1 {
+        comparison
+        level
+      }
+      ... on AcsPolicyConditionsCve_v1 {
+        fixable
+      }
+      ... on AcsPolicyConditionsImageTag_v1 {
+        tags
+        negate
+      }
+      ... on AcsPolicyConditionsImageAge_v1 {
+        days
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class AcsPolicyScopeV1(ConfiguredBaseModel):
+    level: str = Field(..., alias="level")
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
+class AcsPolicyScopeClusterV1(AcsPolicyScopeV1):
+    clusters: list[ClusterV1] = Field(..., alias="clusters")
+
+
+class NamespaceV1_ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    cluster: NamespaceV1_ClusterV1 = Field(..., alias="cluster")
+
+
+class AcsPolicyScopeNamespaceV1(AcsPolicyScopeV1):
+    namespaces: list[NamespaceV1] = Field(..., alias="namespaces")
+
+
+class AcsPolicyConditionsV1(ConfiguredBaseModel):
+    policy_field: str = Field(..., alias="policyField")
+
+
+class AcsPolicyConditionsCvssV1(AcsPolicyConditionsV1):
+    comparison: str = Field(..., alias="comparison")
+    score: int = Field(..., alias="score")
+
+
+class AcsPolicyConditionsSeverityV1(AcsPolicyConditionsV1):
+    comparison: str = Field(..., alias="comparison")
+    level: str = Field(..., alias="level")
+
+
+class AcsPolicyConditionsCveV1(AcsPolicyConditionsV1):
+    fixable: bool = Field(..., alias="fixable")
+
+
+class AcsPolicyConditionsImageTagV1(AcsPolicyConditionsV1):
+    tags: list[str] = Field(..., alias="tags")
+    negate: Optional[bool] = Field(..., alias="negate")
+
+
+class AcsPolicyConditionsImageAgeV1(AcsPolicyConditionsV1):
+    days: int = Field(..., alias="days")
+
+
+class AcsPolicyV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    description: Optional[str] = Field(..., alias="description")
+    severity: str = Field(..., alias="severity")
+    notifiers: Optional[list[str]] = Field(..., alias="notifiers")
+    categories: list[str] = Field(..., alias="categories")
+    scope: Union[AcsPolicyScopeClusterV1, AcsPolicyScopeNamespaceV1, AcsPolicyScopeV1] = Field(..., alias="scope")
+    conditions: list[Union[AcsPolicyConditionsCvssV1, AcsPolicyConditionsSeverityV1, AcsPolicyConditionsImageTagV1, AcsPolicyConditionsCveV1, AcsPolicyConditionsImageAgeV1, AcsPolicyConditionsV1]] = Field(..., alias="conditions")
+
+
+class AcsPolicyQueryData(ConfiguredBaseModel):
+    acs_policies: Optional[list[AcsPolicyV1]] = Field(..., alias="acs_policies")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AcsPolicyQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AcsPolicyQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AcsPolicyQueryData(**raw_data)