Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type RegistryHostnameRetriever ¶
type RegistryHostnameRetriever interface { InternalRegistryHostname() (string, bool) ExternalRegistryHostname() (string, bool) }
RegistryHostnameRetriever represents an interface for retrieving the hostname of internal and external registry.
type RegistryWhitelister ¶
type RegistryWhitelister interface { // AdmitHostname returns error if the given host is not allowed by the whitelist. AdmitHostname(host string, transport WhitelistTransport) error // AdmitPullSpec returns error if the given pull spec is allowed neither by the whitelist nor by the // collected whitelisted pull specs. AdmitPullSpec(pullSpec string, transport WhitelistTransport) error // AdmitDockerImageReference returns error if the given reference is allowed neither by the whitelist nor // by the collected whitelisted pull specs. AdmitDockerImageReference(ref *imageapi.DockerImageReference, transport WhitelistTransport) error // WhitelistRegistry extends internal whitelist for additional registry domain name. Accepted values are: // <host>, <host>:<port> // where each component can contain wildcards like '*' or '??' to match wide range of registries. If the // port is omitted, the default will be appended based on the given transport. If the transport is "any", // the given glob will match hosts with both :80 and :443 ports. WhitelistRegistry(hostPortGlob string, transport WhitelistTransport) error // WhitelistPullSpecs allows to whitelist particular pull specs. References must match exactly one of the // given pull specs for it to be whitelisted. WhitelistPullSpecs(pullSpecs ...string) // Copy returns a deep copy of the whitelister. This is useful for temporarily whitelisting additional // registries/pullSpecs before a specific validation. Copy() RegistryWhitelister }
RegistryWhitelister decides whether given image pull specs are allowed by system's image policy.
func NewRegistryWhitelister ¶
func NewRegistryWhitelister( whitelist serverapi.AllowedRegistries, registryHostRetriever RegistryHostnameRetriever, ) (RegistryWhitelister, error)
NewRegistryWhitelister creates a whitelister that admits registry domains and pull specs based on the given list of allowed registries and the current domain name of the integrated Docker registry.
func WhitelistAllRegistries ¶
func WhitelistAllRegistries() RegistryWhitelister
WhitelistAllRegistries returns a whitelister that will allow any given registry host name. TODO: make a new implementation of RegistryWhitelister instead that will not bother with pull specs
type WhitelistTransport ¶
type WhitelistTransport string
WhitelistTransport says whether the associated registry host shall be treated as secure or insecure.
const ( WhitelistTransportAny WhitelistTransport = "any" WhitelistTransportSecure WhitelistTransport = "secure" WhitelistTransportInsecure WhitelistTransport = "insecure" )