Documentation ¶
Index ¶
- Constants
- func LoadAPIData(ctx context.Context, jp jmespath.Interface, logger logr.Logger, ...) error
- func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.ContextEntry, ...) error
- func LoadImageData(ctx context.Context, jp jmespath.Interface, rclient registryclient.Client, ...) error
- func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.ContextEntry, ...) (err error)
- type ConfigmapResolver
- type ContextLoader
- type ContextLoaderFactory
- type Engine
- type EngineContextLoader
- type EngineContextLoaderFactory
- type EngineResponse
- func (er EngineResponse) GetFailedRules() []string
- func (er EngineResponse) GetFailedRulesWithErrors() []string
- func (er EngineResponse) GetPatches() [][]byte
- func (er EngineResponse) GetResourceSpec() ResourceSpec
- func (er EngineResponse) GetSuccessRules() []string
- func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
- func (er EngineResponse) IsEmpty() bool
- func (er EngineResponse) IsError() bool
- func (er EngineResponse) IsFailed() bool
- func (er EngineResponse) IsNil() bool
- func (er EngineResponse) IsOneOf(status ...RuleStatus) bool
- func (er EngineResponse) IsSkipped() bool
- func (er EngineResponse) IsSuccessful() bool
- func (er *EngineResponse) NamespaceLabels() map[string]string
- func (er *EngineResponse) Policy() kyvernov1.PolicyInterface
- func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse
- func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse
- func (er EngineResponse) WithPolicy(policy kyvernov1.PolicyInterface) EngineResponse
- func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse
- func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse
- type ExcludeFunc
- type ExecutionStats
- type ImageVerificationMetadata
- func (ivm *ImageVerificationMetadata) Add(image string, verified bool)
- func (ivm *ImageVerificationMetadata) IsEmpty() bool
- func (ivm *ImageVerificationMetadata) IsVerified(image string) bool
- func (ivm *ImageVerificationMetadata) Merge(other ImageVerificationMetadata)
- func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([][]byte, error)
- type NamespacedResourceResolver
- type NamespacedResourceSelector
- type PodSecurityChecks
- type PolicyContext
- type PolicyExceptionSelector
- type PolicyResponse
- type PolicyStats
- type ResourceSpec
- type RuleResponse
- func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse
- func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse
- func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse
- func RulePass(name string, ruleType RuleType, msg string) *RuleResponse
- func RuleSkip(name string, ruleType RuleType, msg string) *RuleResponse
- func RuleWarn(name string, ruleType RuleType, msg string) *RuleResponse
- func (r *RuleResponse) Exception() *kyvernov2alpha1.PolicyException
- func (r *RuleResponse) GeneratedResource() unstructured.Unstructured
- func (r *RuleResponse) HasStatus(status ...RuleStatus) bool
- func (r *RuleResponse) IsException() bool
- func (r *RuleResponse) Message() string
- func (r *RuleResponse) Name() string
- func (r *RuleResponse) PatchedTarget() (*unstructured.Unstructured, metav1.GroupVersionResource, string)
- func (r *RuleResponse) Patches() [][]byte
- func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks
- func (r *RuleResponse) RuleType() RuleType
- func (r *RuleResponse) Stats() ExecutionStats
- func (r *RuleResponse) Status() RuleStatus
- func (r *RuleResponse) String() string
- func (r RuleResponse) WithException(exception *kyvernov2alpha1.PolicyException) *RuleResponse
- func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse
- func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, ...) *RuleResponse
- func (r RuleResponse) WithPatches(patches ...[]byte) *RuleResponse
- func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse
- func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse
- type RuleStatus
- type RuleType
Constants ¶
const ImageVerifyAnnotationKey = "kyverno.io/verify-images"
Variables ¶
This section is empty.
Functions ¶
func LoadAPIData ¶
func LoadConfigMap ¶
func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface, resolver ConfigmapResolver) error
func LoadImageData ¶
func LoadImageData(ctx context.Context, jp jmespath.Interface, rclient registryclient.Client, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error
func LoadVariable ¶
func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.ContextEntry, ctx enginecontext.Interface) (err error)
Types ¶
type ConfigmapResolver ¶
type ConfigmapResolver = NamespacedResourceResolver[*corev1.ConfigMap]
ConfigmapResolver is an abstract interface used to resolve configmaps
type ContextLoader ¶
type ContextLoader interface { Load( ctx context.Context, jp jmespath.Interface, client dclient.Interface, rclient registryclient.Client, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface, ) error }
ContextLoader abstracts the mechanics to load context entries in the underlying json context
type ContextLoaderFactory ¶
type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader
ContextLoaderFactory provides a ContextLoader given a policy context and rule name
func DefaultContextLoaderFactory ¶
func DefaultContextLoaderFactory( cmResolver ConfigmapResolver, ) ContextLoaderFactory
type Engine ¶
type Engine interface { // Validate applies validation rules from policy on the resource Validate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // Mutate performs mutation. Overlay first and then mutation patches Mutate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // Generate checks for validity of generate rule on the resource Generate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // VerifyAndPatchImages ... VerifyAndPatchImages( ctx context.Context, policyContext PolicyContext, ) (EngineResponse, ImageVerificationMetadata) // ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource // 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition) // - the caller has to check the ruleResponse to determine whether the path exist // // 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed ApplyBackgroundChecks( ctx context.Context, policyContext PolicyContext, ) EngineResponse ContextLoader( policy kyvernov1.PolicyInterface, rule kyvernov1.Rule, ) EngineContextLoader }
Engine is the main interface to run policies against resources
type EngineContextLoader ¶
type EngineContextLoader = func(ctx context.Context, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface) error
EngineContextLoader provides a function to load context entries from the various clients initialised with the engine ones
type EngineContextLoaderFactory ¶
type EngineContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) EngineContextLoader
EngineContextLoaderFactory provides an EngineContextLoader given a policy and rule name
type EngineResponse ¶
type EngineResponse struct { // Resource is the original resource Resource unstructured.Unstructured // PatchedResource is the resource patched with the engine action changes PatchedResource unstructured.Unstructured // PolicyResponse contains the engine policy response PolicyResponse PolicyResponse // contains filtered or unexported fields }
EngineResponse engine response to the action
func NewEngineResponse ¶
func NewEngineResponse( resource unstructured.Unstructured, policy kyvernov1.PolicyInterface, namespaceLabels map[string]string, ) EngineResponse
func NewEngineResponseFromPolicyContext ¶
func NewEngineResponseFromPolicyContext(policyContext PolicyContext) EngineResponse
func (EngineResponse) GetFailedRules ¶
func (er EngineResponse) GetFailedRules() []string
GetFailedRules returns failed rules
func (EngineResponse) GetFailedRulesWithErrors ¶
func (er EngineResponse) GetFailedRulesWithErrors() []string
GetFailedRulesWithErrors returns failed rules with corresponding error messages
func (EngineResponse) GetPatches ¶
func (er EngineResponse) GetPatches() [][]byte
GetPatches returns all the patches joined
func (EngineResponse) GetResourceSpec ¶
func (er EngineResponse) GetResourceSpec() ResourceSpec
GetResourceSpec returns resourceSpec of er
func (EngineResponse) GetSuccessRules ¶
func (er EngineResponse) GetSuccessRules() []string
GetSuccessRules returns success rules
func (EngineResponse) GetValidationFailureAction ¶
func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
func (EngineResponse) IsEmpty ¶
func (er EngineResponse) IsEmpty() bool
IsEmpty checks if any rule results are present
func (EngineResponse) IsError ¶
func (er EngineResponse) IsError() bool
IsError checks if any rule resulted in a processing error
func (EngineResponse) IsFailed ¶
func (er EngineResponse) IsFailed() bool
IsFailed checks if any rule created a policy violation
func (EngineResponse) IsNil ¶
func (er EngineResponse) IsNil() bool
isNil checks if rule is an empty rule
func (EngineResponse) IsOneOf ¶
func (er EngineResponse) IsOneOf(status ...RuleStatus) bool
IsOneOf checks if any rule has status in a given list
func (EngineResponse) IsSkipped ¶
func (er EngineResponse) IsSkipped() bool
IsSkipped checks if any rule has skipped resource or not.
func (EngineResponse) IsSuccessful ¶
func (er EngineResponse) IsSuccessful() bool
IsSuccessful checks if any rule has failed or produced an error during execution
func (*EngineResponse) NamespaceLabels ¶
func (er *EngineResponse) NamespaceLabels() map[string]string
func (*EngineResponse) Policy ¶
func (er *EngineResponse) Policy() kyvernov1.PolicyInterface
func (EngineResponse) WithNamespaceLabels ¶
func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse
func (EngineResponse) WithPatchedResource ¶
func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse
func (EngineResponse) WithPolicy ¶
func (er EngineResponse) WithPolicy(policy kyvernov1.PolicyInterface) EngineResponse
func (EngineResponse) WithPolicyResponse ¶
func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse
func (EngineResponse) WithStats ¶
func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse
type ExcludeFunc ¶
ExcludeFunc is a function used to determine if a resource is excluded
type ExecutionStats ¶
type ExecutionStats struct {
// contains filtered or unexported fields
}
ExecutionStats stores the statistics for the single policy/rule application
func NewExecutionStats ¶
func NewExecutionStats(startTime, endTime time.Time) ExecutionStats
func (ExecutionStats) ProcessingTime ¶
func (s ExecutionStats) ProcessingTime() time.Duration
func (ExecutionStats) Time ¶
func (s ExecutionStats) Time() time.Time
func (ExecutionStats) Timestamp ¶
func (s ExecutionStats) Timestamp() int64
type ImageVerificationMetadata ¶
func ParseImageMetadata ¶
func ParseImageMetadata(jsonData string) (*ImageVerificationMetadata, error)
func (*ImageVerificationMetadata) Add ¶
func (ivm *ImageVerificationMetadata) Add(image string, verified bool)
func (*ImageVerificationMetadata) IsEmpty ¶
func (ivm *ImageVerificationMetadata) IsEmpty() bool
func (*ImageVerificationMetadata) IsVerified ¶
func (ivm *ImageVerificationMetadata) IsVerified(image string) bool
func (*ImageVerificationMetadata) Merge ¶
func (ivm *ImageVerificationMetadata) Merge(other ImageVerificationMetadata)
type NamespacedResourceResolver ¶
type NamespacedResourceResolver[T any] interface { // Get is used to resolve a resource given a namespace and name Get( ctx context.Context, namespace string, name string, ) (T, error) }
NamespacedResourceResolver is an abstract interface used to resolve namespaced resources Any implementation might exist, cache based, file based, client based etc...
func NewNamespacedResourceResolver ¶
func NewNamespacedResourceResolver[T any](resolvers ...NamespacedResourceResolver[T]) (NamespacedResourceResolver[T], error)
NewNamespacedResourceResolver creates a NamespacedResourceResolver from a NamespacedResourceResolver chain It will try to resolve resources by iterating over individual resolvers until one finds the requested resource
type NamespacedResourceSelector ¶
type NamespacedResourceSelector[T any] interface { // List selects resources based on label selector. // Objects returned here must be treated as read-only. List(selector labels.Selector) (ret []T, err error) }
NamespacedResourceSelector is an abstract interface used to list namespaced resources given a label selector Any implementation might exist, cache based, file based, client based etc...
type PodSecurityChecks ¶
type PodSecurityChecks struct { // Level is the pod security level Level api.Level // Version is the pod security version Version string // Checks contains check result details Checks []pssutils.PSSCheckResult }
PodSecurityChecks details about pod securty checks
type PolicyContext ¶
type PolicyContext interface { Policy() kyvernov1.PolicyInterface NewResource() unstructured.Unstructured OldResource() unstructured.Unstructured AdmissionInfo() kyvernov1beta1.RequestInfo Operation() kyvernov1.AdmissionOperation NamespaceLabels() map[string]string RequestResource() metav1.GroupVersionResource ResourceKind() (schema.GroupVersionKind, string) AdmissionOperation() bool Element() unstructured.Unstructured SetElement(element unstructured.Unstructured) JSONContext() enginecontext.Interface Copy() PolicyContext }
type PolicyExceptionSelector ¶
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2alpha1.PolicyException]
PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
type PolicyResponse ¶
type PolicyResponse struct { // Rules contains policy rules responses Rules []RuleResponse // contains filtered or unexported fields }
PolicyResponse policy application response
func NewPolicyResponse ¶
func NewPolicyResponse() PolicyResponse
func (*PolicyResponse) Add ¶
func (pr *PolicyResponse) Add(stats ExecutionStats, responses ...RuleResponse)
func (*PolicyResponse) RulesAppliedCount ¶
func (pr *PolicyResponse) RulesAppliedCount() int
func (*PolicyResponse) RulesErrorCount ¶
func (pr *PolicyResponse) RulesErrorCount() int
func (*PolicyResponse) Stats ¶
func (pr *PolicyResponse) Stats() PolicyStats
type PolicyStats ¶
type PolicyStats struct {
// contains filtered or unexported fields
}
PolicyStats stores statistics for the single policy application
func (*PolicyStats) RulesAppliedCount ¶
func (ps *PolicyStats) RulesAppliedCount() int
func (*PolicyStats) RulesErrorCount ¶
func (ps *PolicyStats) RulesErrorCount() int
type ResourceSpec ¶
ResourceSpec resource action applied on
func (ResourceSpec) String ¶
func (rs ResourceSpec) String() string
String implements Stringer interface
type RuleResponse ¶
type RuleResponse struct {
// contains filtered or unexported fields
}
RuleResponse details for each rule application
func NewRuleResponse ¶
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse
func RuleError ¶
func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse
func (*RuleResponse) Exception ¶
func (r *RuleResponse) Exception() *kyvernov2alpha1.PolicyException
func (*RuleResponse) GeneratedResource ¶
func (r *RuleResponse) GeneratedResource() unstructured.Unstructured
func (*RuleResponse) HasStatus ¶
func (r *RuleResponse) HasStatus(status ...RuleStatus) bool
HasStatus checks if rule status is in a given list
func (*RuleResponse) IsException ¶
func (r *RuleResponse) IsException() bool
func (*RuleResponse) Message ¶
func (r *RuleResponse) Message() string
func (*RuleResponse) Name ¶
func (r *RuleResponse) Name() string
func (*RuleResponse) PatchedTarget ¶
func (r *RuleResponse) PatchedTarget() (*unstructured.Unstructured, metav1.GroupVersionResource, string)
func (*RuleResponse) Patches ¶
func (r *RuleResponse) Patches() [][]byte
func (*RuleResponse) PodSecurityChecks ¶
func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks
func (*RuleResponse) RuleType ¶
func (r *RuleResponse) RuleType() RuleType
func (*RuleResponse) Stats ¶
func (r *RuleResponse) Stats() ExecutionStats
func (*RuleResponse) Status ¶
func (r *RuleResponse) Status() RuleStatus
func (*RuleResponse) String ¶
func (r *RuleResponse) String() string
String implements Stringer interface
func (RuleResponse) WithException ¶
func (r RuleResponse) WithException(exception *kyvernov2alpha1.PolicyException) *RuleResponse
func (RuleResponse) WithGeneratedResource ¶
func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse
func (RuleResponse) WithPatchedTarget ¶
func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, subresource string) *RuleResponse
func (RuleResponse) WithPatches ¶
func (r RuleResponse) WithPatches(patches ...[]byte) *RuleResponse
func (RuleResponse) WithPodSecurityChecks ¶
func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse
func (RuleResponse) WithStats ¶
func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse
type RuleStatus ¶
type RuleStatus string
RuleStatus represents the status of rule execution
const ( // RuleStatusPass indicates that the resources meets the policy rule requirements RuleStatusPass RuleStatus = "pass" // RuleStatusFail indicates that the resource does not meet the policy rule requirements RuleStatusFail RuleStatus = "fail" // RuleStatusWarn indicates that the resource does not meet the policy rule requirements, but the policy is not scored RuleStatusWarn RuleStatus = "warning" // RuleStatusError indicates that the policy rule could not be evaluated due to a processing error, for // example when a variable cannot be resolved in the policy rule definition. Note that variables // that cannot be resolved in preconditions are replaced with empty values to allow existence // checks. RuleStatusError RuleStatus = "error" // RuleStatusSkip indicates that the policy rule was not selected based on user inputs or applicability, for example // when preconditions are not met, or when conditional or global anchors are not satisfied. RuleStatusSkip RuleStatus = "skip" )
type RuleType ¶
type RuleType string
RuleType represents the type of a rule
const ( // Mutation type for mutation rule Mutation RuleType = "Mutation" // Validation type for validation rule Validation RuleType = "Validation" // Generation type for generation rule Generation RuleType = "Generation" // ImageVerify type for image verification ImageVerify RuleType = "ImageVerify" )