approver

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 6, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type EvaluationResponse

type EvaluationResponse struct {
	// Result is the actionable result code from running the evaluation.
	Result EvaluationResult

	// Message is optional context as to why the evaluator has given the result
	// it has.
	Message string
}

EvaluationResponse is the response to an evaluation request.

type EvaluationResult

type EvaluationResult bool

EvaluationResult is the result of an evaluator evaluating a CertificateRequest based on the given CertificateRequestPolicy.

const (
	// ResultDenied is the result of an evaluation where the evaluator denies the
	// request.
	ResultDenied EvaluationResult = false

	// ResultPassed is the result of an evaluation where the evaluator didn't
	// deny the request, and passed evaluation.
	ResultNotDenied EvaluationResult = true
)

type Evaluator

type Evaluator interface {
	// Evaluate determines whether the given request passes evaluation based on
	// the given policy.
	// Evaluate should return ResultDenied if the request is denied given the
	// policy. Evaluate should return ResultNotDenied if the request hasn't been
	// denied.
	// An occupying message may be returned to give context to the denied
	// decision.
	// An error should only be returned if there was an error in the evaluator
	// attempting to evaluate the request over the policy itself. A policy
	// manager may re-evaluate an evaluation if an error is returned.
	Evaluate(context.Context, *policyapi.CertificateRequestPolicy, *cmapi.CertificateRequest) (EvaluationResponse, error)
}

Evaluator is responsible for making decisions on whether a CertificateRequest should be denied given a CertificateRequestPolicy. Evaluators should register within the registry if they wish to be evaluated by the approver manager.

type Interface

type Interface interface {
	// Name is name of this Approver. Name must be unique to the
	// approver-policy instance.
	Name() string

	// RegisterFlags can be used by Approvers for registering CLI flags which are
	// required for configuring that Approver on this approver-policy instance.
	RegisterFlags(*pflag.FlagSet)

	// Prepare can be used by Approvers for registering extra Kubernetes
	// controllers, adding health checks, or other controller-runtime runnables.
	Prepare(context.Context, logr.Logger, manager.Manager) error

	// Evaluator is responsible for executing evaluations on whether a request
	// should be denied or not.
	Evaluator

	// Webhook implements admission functions for CertificateRequestPolicy
	// resources.
	Webhook

	// Reconciler is responsible for determining the status of a
	// CertificateRequestPolicy according to this Approver.
	Reconciler
}

Interface is an Approver. An Approver implements an Evaluator and Webhook.

type Reconciler

type Reconciler interface {
	// Ready declares whether the CertificateRequestPolicy is in a Ready state
	// according to this Reconciler.
	// ReconcilerReadyResponse should be returned if Ready executed successfully
	// and should report the what the Ready status condition should be according
	// to this Reconciler.
	// A returned error means that there was an error when trying to evaluate the
	// Ready state. A returned error will have Ready be retried.
	Ready(context.Context, *policyapi.CertificateRequestPolicy) (ReconcilerReadyResponse, error)

	// EnqueueChan returns a channel that when a message is received, will
	// reconcile the CertificateRequestPolicy with the given name, regardless of
	// state.
	// Useful for Reconcilers to provide an enqueue channel that forces a re-sync
	// of CertificateRequestPolicies where external state (e.g. files, incoming
	// events) effect the ready condition.
	// EnqueueChan() is expected to only be called once for each Reconciler at
	// start up.
	// A nil return value will never cause a re-sync by that Reconciler.
	EnqueueChan() <-chan string
}

Reconciler is responsible for reconciling CertificateRequestPolicies and declaring what state they should be in.

type ReconcilerReadyResponse

type ReconcilerReadyResponse struct {
	// Ready defines whether this Reconciler considers this
	// CertificateRequestPolicy to be in a ready state.
	Ready bool

	// Errors are list of errors that give context as to why the Ready field is
	// set to false. Only considered if Ready is set to false.
	Errors field.ErrorList

	// Result may be used by Reconciles to signal that the
	// CertificateRequestPolicies' status should be reconciled again and in what
	// duration into the future.
	// The CertificateRequestPolicy may be reconciled again sooner, but never
	// later than the RequeueAfter duration.
	// RequeueAfter is ignored if Request is false.
	ctrl.Result
}

ReconcilerReadyResponse is the response to this Reconciler evaluating whether the CertificateRequestPolicy is in a Ready state.

type Webhook

type Webhook interface {
	// Validate is run every time a CertificateRequestPolicy is created or
	// updated at admission time to the API server. If Validate returns a
	// response with Allowed set to false, the object will not be committed.
	// Similarly, any error will cause the object not to be committed
	// immediately, and no other webhooks will be run.
	Validate(context.Context, *policyapi.CertificateRequestPolicy) (WebhookValidationResponse, error)
}

Webhook is responsible for making decisions about whether a CertificateRequestPolicy should be committed to the API server at admission time.

type WebhookValidationResponse

type WebhookValidationResponse struct {
	// Allowed indicates whether the request was permitted by this Webhook.
	Allowed bool

	// Errors are errors in response to the validation request being not Allowed.
	Errors field.ErrorList

	// Warnings are non-fatal warnings when validating a CertificateRequestPolicy
	// Will be displayed as admission warnings when a CertificateRequestPolicy is applied
	// https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
	Warnings admission.Warnings
}

WebhookValidationResponse is the response to a validate request to a Webhook.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL