Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type EvaluationResponse ¶
type EvaluationResponse struct { // Result is the actionable result code from running the evaluation. Result EvaluationResult // Message is optional context as to why the evaluator has given the result // it has. Message string }
EvaluationResponse is the response to an evaluation request.
type EvaluationResult ¶
type EvaluationResult bool
EvaluationResult is the result of an evaluator evaluating a CertificateRequest based on the given CertificateRequestPolicy.
const ( // ResultDenied is the result of an evaluation where the evaluator denies the // request. ResultDenied EvaluationResult = false // ResultPassed is the result of an evaluation where the evaluator didn't // deny the request, and passed evaluation. ResultNotDenied EvaluationResult = true )
type Evaluator ¶
type Evaluator interface { // Evaluate determines whether the given request passes evaluation based on // the given policy. // Evaluate should return ResultDenied if the request is denied given the // policy. Evaluate should return ResultNotDenied if the request hasn't been // denied. // An occupying message may be returned to give context to the denied // decision. // An error should only be returned if there was an error in the evaluator // attempting to evaluate the request over the policy itself. A policy // manager may re-evaluate an evaluation if an error is returned. Evaluate(context.Context, *policyapi.CertificateRequestPolicy, *cmapi.CertificateRequest) (EvaluationResponse, error) }
Evaluator is responsible for making decisions on whether a CertificateRequest should be denied given a CertificateRequestPolicy. Evaluators should register within the registry if they wish to be evaluated by the approver manager.
type Interface ¶
type Interface interface { // Name is name of this Approver. Name must be unique to the // approver-policy instance. Name() string // RegisterFlags can be used by Approvers for registering CLI flags which are // required for configuring that Approver on this approver-policy instance. RegisterFlags(*pflag.FlagSet) // Prepare can be used by Approvers for registering extra Kubernetes // controllers, adding health checks, or other controller-runtime runnables. Prepare(context.Context, logr.Logger, manager.Manager) error // Evaluator is responsible for executing evaluations on whether a request // should be denied or not. Evaluator // Webhook implements admission functions for CertificateRequestPolicy // resources. Webhook // Reconciler is responsible for determining the status of a // CertificateRequestPolicy according to this Approver. Reconciler }
Interface is an Approver. An Approver implements an Evaluator and Webhook.
type Reconciler ¶
type Reconciler interface { // Ready declares whether the CertificateRequestPolicy is in a Ready state // according to this Reconciler. // ReconcilerReadyResponse should be returned if Ready executed successfully // and should report the what the Ready status condition should be according // to this Reconciler. // A returned error means that there was an error when trying to evaluate the // Ready state. A returned error will have Ready be retried. Ready(context.Context, *policyapi.CertificateRequestPolicy) (ReconcilerReadyResponse, error) // EnqueueChan returns a channel that when a message is received, will // reconcile the CertificateRequestPolicy with the given name, regardless of // state. // Useful for Reconcilers to provide an enqueue channel that forces a re-sync // of CertificateRequestPolicies where external state (e.g. files, incoming // events) effect the ready condition. // EnqueueChan() is expected to only be called once for each Reconciler at // start up. // A nil return value will never cause a re-sync by that Reconciler. EnqueueChan() <-chan string }
Reconciler is responsible for reconciling CertificateRequestPolicies and declaring what state they should be in.
type ReconcilerReadyResponse ¶
type ReconcilerReadyResponse struct { // Ready defines whether this Reconciler considers this // CertificateRequestPolicy to be in a ready state. Ready bool // Errors are list of errors that give context as to why the Ready field is // set to false. Only considered if Ready is set to false. Errors field.ErrorList // Result may be used by Reconciles to signal that the // CertificateRequestPolicies' status should be reconciled again and in what // duration into the future. // The CertificateRequestPolicy may be reconciled again sooner, but never // later than the RequeueAfter duration. // RequeueAfter is ignored if Request is false. ctrl.Result }
ReconcilerReadyResponse is the response to this Reconciler evaluating whether the CertificateRequestPolicy is in a Ready state.
type Webhook ¶
type Webhook interface { // Validate is run every time a CertificateRequestPolicy is created or // updated at admission time to the API server. If Validate returns a // response with Allowed set to false, the object will not be committed. // Similarly, any error will cause the object not to be committed // immediately, and no other webhooks will be run. Validate(context.Context, *policyapi.CertificateRequestPolicy) (WebhookValidationResponse, error) }
Webhook is responsible for making decisions about whether a CertificateRequestPolicy should be committed to the API server at admission time.
type WebhookValidationResponse ¶
type WebhookValidationResponse struct { // Allowed indicates whether the request was permitted by this Webhook. Allowed bool // Errors are errors in response to the validation request being not Allowed. Errors field.ErrorList }
WebhookValidationResponse is the response to a validate request to a Webhook.