api

package
v1.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 30, 2023 License: Apache-2.0 Imports: 28 Imported by: 7

Documentation

Index

Constants

View Source
const ImageVerifyAnnotationKey = "kyverno.io/verify-images"

Variables

This section is empty.

Functions

func LoadAPIData

func LoadAPIData(ctx context.Context, jp jmespath.Interface, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface, client dclient.Interface) error

func LoadConfigMap

func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface, resolver ConfigmapResolver) error

func LoadImageData

func LoadImageData(ctx context.Context, jp jmespath.Interface, rclient registryclient.Client, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error

func LoadVariable

func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.ContextEntry, ctx enginecontext.Interface) (err error)

Types

type ConfigmapResolver

type ConfigmapResolver = NamespacedResourceResolver[*corev1.ConfigMap]

ConfigmapResolver is an abstract interface used to resolve configmaps

type ContextLoader

type ContextLoader interface {
	Load(
		ctx context.Context,
		jp jmespath.Interface,
		client dclient.Interface,
		rclient registryclient.Client,
		contextEntries []kyvernov1.ContextEntry,
		jsonContext enginecontext.Interface,
	) error
}

ContextLoader abstracts the mechanics to load context entries in the underlying json context

type ContextLoaderFactory

type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader

ContextLoaderFactory provides a ContextLoader given a policy context and rule name

func DefaultContextLoaderFactory

func DefaultContextLoaderFactory(
	cmResolver ConfigmapResolver,
) ContextLoaderFactory

type Engine

type Engine interface {
	// Validate applies validation rules from policy on the resource
	Validate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// Mutate performs mutation. Overlay first and then mutation patches
	Mutate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// Generate checks for validity of generate rule on the resource
	Generate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// VerifyAndPatchImages ...
	VerifyAndPatchImages(
		ctx context.Context,
		policyContext PolicyContext,
	) (EngineResponse, ImageVerificationMetadata)

	// ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource
	// 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)
	//   - the caller has to check the ruleResponse to determine whether the path exist
	//
	// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
	ApplyBackgroundChecks(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	ContextLoader(
		policy kyvernov1.PolicyInterface,
		rule kyvernov1.Rule,
	) EngineContextLoader
}

Engine is the main interface to run policies against resources

type EngineContextLoader

type EngineContextLoader = func(ctx context.Context, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface) error

EngineContextLoader provides a function to load context entries from the various clients initialised with the engine ones

type EngineContextLoaderFactory

type EngineContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) EngineContextLoader

EngineContextLoaderFactory provides an EngineContextLoader given a policy and rule name

type EngineResponse

type EngineResponse struct {
	// Resource is the original resource
	Resource unstructured.Unstructured

	// PatchedResource is the resource patched with the engine action changes
	PatchedResource unstructured.Unstructured
	// PolicyResponse contains the engine policy response
	PolicyResponse PolicyResponse
	// contains filtered or unexported fields
}

EngineResponse engine response to the action

func NewEngineResponse

func NewEngineResponse(
	resource unstructured.Unstructured,
	policy kyvernov1.PolicyInterface,
	namespaceLabels map[string]string,
) EngineResponse

func NewEngineResponseFromPolicyContext

func NewEngineResponseFromPolicyContext(policyContext PolicyContext) EngineResponse

func (EngineResponse) GetFailedRules

func (er EngineResponse) GetFailedRules() []string

GetFailedRules returns failed rules

func (EngineResponse) GetFailedRulesWithErrors

func (er EngineResponse) GetFailedRulesWithErrors() []string

GetFailedRulesWithErrors returns failed rules with corresponding error messages

func (EngineResponse) GetPatches

func (er EngineResponse) GetPatches() [][]byte

GetPatches returns all the patches joined

func (EngineResponse) GetResourceSpec

func (er EngineResponse) GetResourceSpec() ResourceSpec

GetResourceSpec returns resourceSpec of er

func (EngineResponse) GetSuccessRules

func (er EngineResponse) GetSuccessRules() []string

GetSuccessRules returns success rules

func (EngineResponse) GetValidationFailureAction

func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction

func (EngineResponse) IsEmpty

func (er EngineResponse) IsEmpty() bool

IsEmpty checks if any rule results are present

func (EngineResponse) IsError

func (er EngineResponse) IsError() bool

IsError checks if any rule resulted in a processing error

func (EngineResponse) IsFailed

func (er EngineResponse) IsFailed() bool

IsFailed checks if any rule created a policy violation

func (EngineResponse) IsNil

func (er EngineResponse) IsNil() bool

isNil checks if rule is an empty rule

func (EngineResponse) IsOneOf

func (er EngineResponse) IsOneOf(status ...RuleStatus) bool

IsOneOf checks if any rule has status in a given list

func (EngineResponse) IsSkipped

func (er EngineResponse) IsSkipped() bool

IsSkipped checks if any rule has skipped resource or not.

func (EngineResponse) IsSuccessful

func (er EngineResponse) IsSuccessful() bool

IsSuccessful checks if any rule has failed or produced an error during execution

func (*EngineResponse) NamespaceLabels

func (er *EngineResponse) NamespaceLabels() map[string]string

func (*EngineResponse) Policy

func (EngineResponse) WithNamespaceLabels

func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse

func (EngineResponse) WithPatchedResource

func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse

func (EngineResponse) WithPolicy

func (EngineResponse) WithPolicyResponse

func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse

func (EngineResponse) WithStats

func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse

type ExcludeFunc

type ExcludeFunc = func(kind, namespace, name string) bool

ExcludeFunc is a function used to determine if a resource is excluded

type ExecutionStats

type ExecutionStats struct {
	// contains filtered or unexported fields
}

ExecutionStats stores the statistics for the single policy/rule application

func NewExecutionStats

func NewExecutionStats(startTime, endTime time.Time) ExecutionStats

func (ExecutionStats) ProcessingTime

func (s ExecutionStats) ProcessingTime() time.Duration

func (ExecutionStats) Time

func (s ExecutionStats) Time() time.Time

func (ExecutionStats) Timestamp

func (s ExecutionStats) Timestamp() int64

type ImageVerificationMetadata

type ImageVerificationMetadata struct {
	Data map[string]bool `json:"data"`
}

func ParseImageMetadata

func ParseImageMetadata(jsonData string) (*ImageVerificationMetadata, error)

func (*ImageVerificationMetadata) Add

func (ivm *ImageVerificationMetadata) Add(image string, verified bool)

func (*ImageVerificationMetadata) IsEmpty

func (ivm *ImageVerificationMetadata) IsEmpty() bool

func (*ImageVerificationMetadata) IsVerified

func (ivm *ImageVerificationMetadata) IsVerified(image string) bool

func (*ImageVerificationMetadata) Merge

func (*ImageVerificationMetadata) Patches

func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([][]byte, error)

type NamespacedResourceResolver

type NamespacedResourceResolver[T any] interface {
	// Get is used to resolve a resource given a namespace and name
	Get(
		ctx context.Context,
		namespace string,
		name string,
	) (T, error)
}

NamespacedResourceResolver is an abstract interface used to resolve namespaced resources Any implementation might exist, cache based, file based, client based etc...

func NewNamespacedResourceResolver

func NewNamespacedResourceResolver[T any](resolvers ...NamespacedResourceResolver[T]) (NamespacedResourceResolver[T], error)

NewNamespacedResourceResolver creates a NamespacedResourceResolver from a NamespacedResourceResolver chain It will try to resolve resources by iterating over individual resolvers until one finds the requested resource

type NamespacedResourceSelector

type NamespacedResourceSelector[T any] interface {
	// List selects resources based on label selector.
	// Objects returned here must be treated as read-only.
	List(selector labels.Selector) (ret []T, err error)
}

NamespacedResourceSelector is an abstract interface used to list namespaced resources given a label selector Any implementation might exist, cache based, file based, client based etc...

type PodSecurityChecks

type PodSecurityChecks struct {
	// Level is the pod security level
	Level api.Level
	// Version is the pod security version
	Version string
	// Checks contains check result details
	Checks []pssutils.PSSCheckResult
}

PodSecurityChecks details about pod securty checks

type PolicyContext

type PolicyContext interface {
	Policy() kyvernov1.PolicyInterface
	NewResource() unstructured.Unstructured
	OldResource() unstructured.Unstructured
	AdmissionInfo() kyvernov1beta1.RequestInfo
	Operation() kyvernov1.AdmissionOperation
	NamespaceLabels() map[string]string
	RequestResource() metav1.GroupVersionResource
	ResourceKind() (schema.GroupVersionKind, string)
	AdmissionOperation() bool
	Element() unstructured.Unstructured
	SetElement(element unstructured.Unstructured)

	JSONContext() enginecontext.Interface
	Copy() PolicyContext
}

type PolicyExceptionSelector

PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions

type PolicyResponse

type PolicyResponse struct {

	// Rules contains policy rules responses
	Rules []RuleResponse
	// contains filtered or unexported fields
}

PolicyResponse policy application response

func NewPolicyResponse

func NewPolicyResponse() PolicyResponse

func (*PolicyResponse) Add

func (pr *PolicyResponse) Add(stats ExecutionStats, responses ...RuleResponse)

func (*PolicyResponse) RulesAppliedCount

func (pr *PolicyResponse) RulesAppliedCount() int

func (*PolicyResponse) RulesErrorCount

func (pr *PolicyResponse) RulesErrorCount() int

func (*PolicyResponse) Stats

func (pr *PolicyResponse) Stats() PolicyStats

type PolicyStats

type PolicyStats struct {
	// contains filtered or unexported fields
}

PolicyStats stores statistics for the single policy application

func (*PolicyStats) RulesAppliedCount

func (ps *PolicyStats) RulesAppliedCount() int

func (*PolicyStats) RulesErrorCount

func (ps *PolicyStats) RulesErrorCount() int

type ResourceSpec

type ResourceSpec struct {
	Kind       string
	APIVersion string
	Namespace  string
	Name       string
	UID        string
}

ResourceSpec resource action applied on

func (ResourceSpec) String

func (rs ResourceSpec) String() string

String implements Stringer interface

type RuleResponse

type RuleResponse struct {
	// contains filtered or unexported fields
}

RuleResponse details for each rule application

func NewRuleResponse

func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse

func RuleError

func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse

func RuleFail

func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse

func RulePass

func RulePass(name string, ruleType RuleType, msg string) *RuleResponse

func RuleSkip

func RuleSkip(name string, ruleType RuleType, msg string) *RuleResponse

func RuleWarn

func RuleWarn(name string, ruleType RuleType, msg string) *RuleResponse

func (*RuleResponse) Exception

func (*RuleResponse) GeneratedResource

func (r *RuleResponse) GeneratedResource() unstructured.Unstructured

func (*RuleResponse) HasStatus

func (r *RuleResponse) HasStatus(status ...RuleStatus) bool

HasStatus checks if rule status is in a given list

func (*RuleResponse) IsException

func (r *RuleResponse) IsException() bool

func (*RuleResponse) Message

func (r *RuleResponse) Message() string

func (*RuleResponse) Name

func (r *RuleResponse) Name() string

func (*RuleResponse) PatchedTarget

func (*RuleResponse) Patches

func (r *RuleResponse) Patches() [][]byte

func (*RuleResponse) PodSecurityChecks

func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks

func (*RuleResponse) RuleType

func (r *RuleResponse) RuleType() RuleType

func (*RuleResponse) Stats

func (r *RuleResponse) Stats() ExecutionStats

func (*RuleResponse) Status

func (r *RuleResponse) Status() RuleStatus

func (*RuleResponse) String

func (r *RuleResponse) String() string

String implements Stringer interface

func (RuleResponse) WithException

func (r RuleResponse) WithException(exception *kyvernov2alpha1.PolicyException) *RuleResponse

func (RuleResponse) WithGeneratedResource

func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse

func (RuleResponse) WithPatchedTarget

func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, subresource string) *RuleResponse

func (RuleResponse) WithPatches

func (r RuleResponse) WithPatches(patches ...[]byte) *RuleResponse

func (RuleResponse) WithPodSecurityChecks

func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse

func (RuleResponse) WithStats

func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse

type RuleStatus

type RuleStatus string

RuleStatus represents the status of rule execution

const (
	// RuleStatusPass indicates that the resources meets the policy rule requirements
	RuleStatusPass RuleStatus = "pass"
	// RuleStatusFail indicates that the resource does not meet the policy rule requirements
	RuleStatusFail RuleStatus = "fail"
	// RuleStatusWarn indicates that the resource does not meet the policy rule requirements, but the policy is not scored
	RuleStatusWarn RuleStatus = "warning"
	// RuleStatusError indicates that the policy rule could not be evaluated due to a processing error, for
	// example when a variable cannot be resolved  in the policy rule definition. Note that variables
	// that cannot be resolved in preconditions are replaced with empty values to allow existence
	// checks.
	RuleStatusError RuleStatus = "error"
	// RuleStatusSkip indicates that the policy rule was not selected based on user inputs or applicability, for example
	// when preconditions are not met, or when conditional or global anchors are not satisfied.
	RuleStatusSkip RuleStatus = "skip"
)

type RuleType

type RuleType string

RuleType represents the type of a rule

const (
	// Mutation type for mutation rule
	Mutation RuleType = "Mutation"
	// Validation type for validation rule
	Validation RuleType = "Validation"
	// Generation type for generation rule
	Generation RuleType = "Generation"
	// ImageVerify type for image verification
	ImageVerify RuleType = "ImageVerify"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL