policies

package
v3.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 5, 2021 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsExempt

func IsExempt(clusterName, resourceName, namespace string, userInfo authenticationv1.UserInfo, policyName string, exemptions []CompiledExemption) bool

IsExempt returns whether a resource is exempt from a given policy

Types

type AnnotationConfig

type AnnotationConfig struct {
	Annotation    string   `json:"annotation"`
	Annotations   []string `json:"annotations"`
	AllowedValues []string `json:"allowed_values"`
	AllowMissing  bool     `json:"allow_missing"`
}

AnnotationConfig defines a single annotation config

type CompiledExemption

type CompiledExemption struct {
	ClusterName    glob.Glob
	ResourceName   glob.Glob
	Namespace      glob.Glob
	Username       glob.Glob
	Group          glob.Glob
	ExemptPolicies []glob.Glob
}

CompiledExemption is the compiled configuration for a policy exemption

func ExemptionsFromDirectory

func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)

ExemptionsFromDirectory returns compiled exemptions a given directory

func ExemptionsFromYAML

func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)

ExemptionsFromYAML returns compiled exemptions from YAML input

type Config

type Config struct {
	// PolicyRequireIngressExemptionClasses contains the Ingress classes that an exemption is required for
	// to use. Typically this would include your public ingress classes.
	PolicyRequireIngressExemptionClasses []string `json:"policy_require_ingress_exemption_classes"`
	// PolicyRequireServiceLoadBalancerAnnotations contains the Service LB types annotation that are allowed with this policy.
	PolicyRequireServiceLoadBalancerAnnotations []*AnnotationConfig `json:"policy_require_service_loadbalancer_annotations"`
	// PolicyTrustedRepositoryRegexes contains regexes that match image repositories that you want to allow.
	PolicyTrustedRepositoryRegexes []string `json:"policy_trusted_repository_regexes"`
	// PolicyDefaultSeccompPolicy contains the seccomp policy that you want to be applied on Pods by default.
	// Defaults to 'runtime/default'
	PolicyDefaultSeccompPolicy string `json:"policy_default_seccomp_policy"`
	// PolicyImagePullPolicy contains the images that needs to enforce to a specific ImagePullPolicy
	PolicyImagePullPolicy   map[string][]string     `json:"mutate_image_pull_policy"`
	MutateEmptyDirSizeLimit MutateEmptyDirSizeLimit `json:"mutate_empty_dir_size_limit"`
}

Config contains configuration for Policies

type MutateEmptyDirSizeLimit

type MutateEmptyDirSizeLimit struct {
	MaximumSizeLimit apiresource.Quantity `json:"maximum_size_limit"`
	DefaultSizeLimit apiresource.Quantity `json:"default_size_limit"`
}

func (*MutateEmptyDirSizeLimit) UnmarshalJSON

func (m *MutateEmptyDirSizeLimit) UnmarshalJSON(value []byte) error

type PatchOperation

type PatchOperation struct {
	Op    string      `json:"op"`
	Path  string      `json:"path"`
	Value interface{} `json:"value,omitempty"`
}

PatchOperation is used for specifying mutating patches on resources. It follows the JSONPatch format (http://jsonpatch.com/) This is the format that MutatingWebhookConfigurations require.

type RawExemption

type RawExemption struct {
	ClusterName    string   `json:"cluster_name"`
	ResourceName   string   `json:"resource_name"`
	Namespace      string   `json:"namespace"`
	Username       string   `json:"username"`
	Group          string   `json:"group"`
	ExemptPolicies []string `json:"exempt_policies"`
}

RawExemption is the configuration for a policy exemption

func (*RawExemption) Compile

func (r *RawExemption) Compile() CompiledExemption

Compile returns a CompiledExemption

type ResourceViolation

type ResourceViolation struct {
	ResourceName string
	ResourceKind string
	Namespace    string
	Violation    string
	Policy       string
	Error        error
}

ResourceViolation contains information needed to report and track violations, as well as checking for exemptions

func (ResourceViolation) HumanString

func (r ResourceViolation) HumanString() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL