Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsExempt ¶
func IsExempt(clusterName, resourceName, namespace string, userInfo authenticationv1.UserInfo, policyName string, exemptions []CompiledExemption) bool
IsExempt returns whether a resource is exempt from a given policy
Types ¶
type AnnotationConfig ¶
type AnnotationConfig struct { Annotation string `json:"annotation"` Annotations []string `json:"annotations"` AllowedValues []string `json:"allowed_values"` AllowMissing bool `json:"allow_missing"` }
AnnotationConfig defines a single annotation config
type CompiledExemption ¶
type CompiledExemption struct { ClusterName glob.Glob ResourceName glob.Glob Namespace glob.Glob Username glob.Glob Group glob.Glob ExemptPolicies []glob.Glob }
CompiledExemption is the compiled configuration for a policy exemption
func ExemptionsFromDirectory ¶
func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)
ExemptionsFromDirectory returns compiled exemptions a given directory
func ExemptionsFromYAML ¶
func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)
ExemptionsFromYAML returns compiled exemptions from YAML input
type Config ¶
type Config struct { // PolicyRequireIngressExemptionClasses contains the Ingress classes that an exemption is required for // to use. Typically this would include your public ingress classes. PolicyRequireIngressExemptionClasses []string `json:"policy_require_ingress_exemption_classes"` // PolicyRequireServiceLoadBalancerAnnotations contains the Service LB types annotation that are allowed with this policy. PolicyRequireServiceLoadBalancerAnnotations []*AnnotationConfig `json:"policy_require_service_loadbalancer_annotations"` // PolicyTrustedRepositoryRegexes contains regexes that match image repositories that you want to allow. PolicyTrustedRepositoryRegexes []string `json:"policy_trusted_repository_regexes"` // PolicyDefaultSeccompPolicy contains the seccomp policy that you want to be applied on Pods by default. // Defaults to 'runtime/default' PolicyDefaultSeccompPolicy string `json:"policy_default_seccomp_policy"` // PolicyImagePullPolicy contains the images that needs to enforce to a specific ImagePullPolicy PolicyImagePullPolicy map[string][]string `json:"mutate_image_pull_policy"` MutateEmptyDirSizeLimit MutateEmptyDirSizeLimit `json:"mutate_empty_dir_size_limit"` }
Config contains configuration for Policies
type MutateEmptyDirSizeLimit ¶
type MutateEmptyDirSizeLimit struct { MaximumSizeLimit apiresource.Quantity `json:"maximum_size_limit"` DefaultSizeLimit apiresource.Quantity `json:"default_size_limit"` }
func (*MutateEmptyDirSizeLimit) UnmarshalJSON ¶
func (m *MutateEmptyDirSizeLimit) UnmarshalJSON(value []byte) error
type PatchOperation ¶
type PatchOperation struct { Op string `json:"op"` Path string `json:"path"` Value interface{} `json:"value,omitempty"` }
PatchOperation is used for specifying mutating patches on resources. It follows the JSONPatch format (http://jsonpatch.com/) This is the format that MutatingWebhookConfigurations require.
type RawExemption ¶
type RawExemption struct { ClusterName string `json:"cluster_name"` ResourceName string `json:"resource_name"` Namespace string `json:"namespace"` Username string `json:"username"` Group string `json:"group"` ExemptPolicies []string `json:"exempt_policies"` }
RawExemption is the configuration for a policy exemption
func (*RawExemption) Compile ¶
func (r *RawExemption) Compile() CompiledExemption
Compile returns a CompiledExemption
type ResourceViolation ¶
type ResourceViolation struct { ResourceName string ResourceKind string Namespace string Violation string Policy string Error error }
ResourceViolation contains information needed to report and track violations, as well as checking for exemptions
func (ResourceViolation) HumanString ¶
func (r ResourceViolation) HumanString() string