The highest tagged major version is v3.

policies

package

v1.1.1 Latest Latest Go to latest Published: Nov 13, 2019 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cruise-automation/k-rail

Links

Open Source Insights

Documentation ¶

Index ¶

func IsExempt(resourceName string, namespace string, userInfo authenticationv1.UserInfo, ...) bool
type CompiledExemption
- func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)
- func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)
type Config
type PatchOperation
type RawExemption
- func (r *RawExemption) Compile() CompiledExemption
type ResourceViolation
- func (r ResourceViolation) HumanString() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsExempt ¶

func IsExempt(resourceName string, namespace string, userInfo authenticationv1.UserInfo, policyName string, exemptions []CompiledExemption) bool

IsExempt returns whether a resource is exempt from a given policy

Types ¶

type CompiledExemption ¶

type CompiledExemption struct {
	ResourceName   glob.Glob
	Namespace      glob.Glob
	Username       glob.Glob
	Group          glob.Glob
	ExemptPolicies []glob.Glob
}

CompiledExemption is the compiled configuration for a policy exemption

func ExemptionsFromDirectory ¶

func ExemptionsFromDirectory(directory string) ([]CompiledExemption, error)

ExemptionsFromDirectory returns compiled exemptions a given directory

func ExemptionsFromYAML ¶

func ExemptionsFromYAML(exemptions []byte) ([]CompiledExemption, error)

ExemptionsFromYAML returns compiled exemptions from YAML input

type Config ¶

type Config struct {
	// PolicyRequireIngressExemptionClasses contains the Ingress classes that an exemption is required for
	// to use. Typically this would include your public ingress classes.
	PolicyRequireIngressExemptionClasses []string `yaml:"policy_require_ingress_exemption_classes"`
	// PolicyTrustedRepositoryRegexes contains regexes that match image repositories that you want to allow.
	PolicyTrustedRepositoryRegexes []string `yaml:"policy_trusted_repository_regexes"`
	// PolicyDefaultSeccompPolicy contains the seccomp policy that you want to be applied on Pods by default.
	// Defaults to 'runtime/default'
	PolicyDefaultSeccompPolicy string `yaml:"policy_default_seccomp_policy"`
}

Config contains configuration for Policies

type PatchOperation ¶ added in v1.1.1

type PatchOperation struct {
	Op    string      `json:"op"`
	Path  string      `json:"path"`
	Value interface{} `json:"value,omitempty"`
}

PatchOperation is used for specifying mutating patches on resources. It follows the JSONPatch format (http://jsonpatch.com/) This is the format that MutatingWebhookConfigurations require.

type RawExemption ¶

type RawExemption struct {
	ResourceName   string   `yaml:"resource_name"`
	Namespace      string   `yaml:"namespace"`
	Username       string   `yaml:"username"`
	Group          string   `yaml:"group"`
	ExemptPolicies []string `yaml:"exempt_policies"`
}

RawExemption is the configuration for a policy exemption

func (*RawExemption) Compile ¶

func (r *RawExemption) Compile() CompiledExemption

Compile returns a CompiledExemption

type ResourceViolation ¶

type ResourceViolation struct {
	ResourceName string
	ResourceKind string
	Namespace    string
	Violation    string
	Policy       string
	Error        error
}

ResourceViolation contains information needed to report and track violations, as well as checking for exemptions

func (ResourceViolation) HumanString ¶

func (r ResourceViolation) HumanString() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
ingress
pod

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL