Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EvaluationResponse ¶
type EvaluationResponse struct {
// Result is the actionable result code from running the evaluation.
Result EvaluationResult
// Message is optional context as to why the evaluator has given the result
// it has.
Message string
}
EvaluationResponse is the response to an evaluation request.
type EvaluationResult ¶
type EvaluationResult bool
EvaluationResult is the result of an evaluator evaluating a CertificateRequest based on the given CertificateRequestPolicy.
const ( // ResultDenied is the result of an evaluation where the evaluator denies the // request. ResultDenied EvaluationResult = false // ResultPassed is the result of an evaluation where the evaluator didn't // deny the request, and passed evaluation. ResultNotDenied EvaluationResult = true )
type Evaluator ¶
type Evaluator interface {
// Evaluate determines whether the given request passes evaluation based on
// the given policy.
// Evaluate should return ResultDenied if the request is denied given the
// policy. Evaluate should return ResultNotDenied if the request hasn't been
// denied.
// An occupying message may be returned to give context to the denied
// decision.
// An error should only be returned if there was an error in the evaluator
// attempting to evaluate the request over the policy itself. A policy
// manager may re-evaluate an evaluation if an error is returned.
Evaluate(context.Context, *policyapi.CertificateRequestPolicy, *cmapi.CertificateRequest) (EvaluationResponse, error)
}
Evaluator is responsible for making decisions on whether a CertificateRequest should be denied given a CertificateRequestPolicy. Evaluators should register within the registry if they wish to be evaluated by the approver manager.
type Interface ¶
type Interface interface {
// Name is name of this Approver. Name must be unique to the
// approver-policy instance.
Name() string
// RegisterFlags can be used by Approvers for registering CLI flags which are
// required for configuring that Approver on this approver-policy instance.
RegisterFlags(*pflag.FlagSet)
// Prepare can be used by Approvers for registering extra Kubernetes
// controllers, adding health checks, or other controller-runtime runnables.
Prepare(context.Context, logr.Logger, manager.Manager) error
// Evaluator is responsible for executing evaluations on whether a request
// should be denied or not.
Evaluator
// Webhook implements admission functions for CertificateRequestPolicy
// resources.
Webhook
// Reconciler is responsible for determining the status of a
// CertificateRequestPolicy according to this Approver.
Reconciler
}
Interface is an Approver. An Approver implements an Evaluator and Webhook.
type Reconciler ¶
type Reconciler interface {
// Ready declares whether the CertificateRequestPolicy is in a Ready state
// according to this Reconciler.
// ReconcilerReadyResponse should be returned if Ready executed successfully
// and should report the what the Ready status condition should be according
// to this Reconciler.
// A returned error means that there was an error when trying to evaluate the
// Ready state. A returned error will have Ready be retried.
Ready(context.Context, *policyapi.CertificateRequestPolicy) (ReconcilerReadyResponse, error)
// EnqueueChan returns a channel that when a message is received, will
// reconcile the CertificateRequestPolicy with the given name, regardless of
// state.
// Useful for Reconcilers to provide an enqueue channel that forces a re-sync
// of CertificateRequestPolicies where external state (e.g. files, incoming
// events) effect the ready condition.
// EnqueueChan() is expected to only be called once for each Reconciler at
// start up.
// A nil return value will never cause a re-sync by that Reconciler.
EnqueueChan() <-chan string
}
Reconciler is responsible for reconciling CertificateRequestPolicies and declaring what state they should be in.
type ReconcilerReadyResponse ¶
type ReconcilerReadyResponse struct {
// Ready defines whether this Reconciler considers this
// CertificateRequestPolicy to be in a ready state.
Ready bool
// Errors are list of errors that give context as to why the Ready field is
// set to false. Only considered if Ready is set to false.
Errors field.ErrorList
// Result may be used by Reconciles to signal that the
// CertificateRequestPolicies' status should be reconciled again and in what
// duration into the future.
// The CertificateRequestPolicy may be reconciled again sooner, but never
// later than the RequeueAfter duration.
// RequeueAfter is ignored if Request is false.
ctrl.Result
}
ReconcilerReadyResponse is the response to this Reconciler evaluating whether the CertificateRequestPolicy is in a Ready state.
type Webhook ¶
type Webhook interface {
// Validate is run every time a CertificateRequestPolicy is created or
// updated at admission time to the API server. If Validate returns a
// response with Allowed set to false, the object will not be committed.
// Similarly, any error will cause the object not to be committed
// immediately, and no other webhooks will be run.
Validate(context.Context, *policyapi.CertificateRequestPolicy) (WebhookValidationResponse, error)
}
Webhook is responsible for making decisions about whether a CertificateRequestPolicy should be committed to the API server at admission time.
type WebhookValidationResponse ¶
type WebhookValidationResponse struct {
// Allowed indicates whether the request was permitted by this Webhook.
Allowed bool
// Errors are errors in response to the validation request being not Allowed.
Errors field.ErrorList
// Warnings are non-fatal warnings when validating a CertificateRequestPolicy
// Will be displayed as admission warnings when a CertificateRequestPolicy is applied
// https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
Warnings admission.Warnings
}
WebhookValidationResponse is the response to a validate request to a Webhook.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.