api

package
v1.12.6-rc.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2024 License: Apache-2.0 Imports: 28 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthClient added in v1.10.5

type AuthClient interface {
	CanI(ctx context.Context, kind, namespace, verb, subresource, user string) (bool, string, error)
}

type Client added in v1.10.5

type Client interface {
	RawClient
	AuthClient
	ResourceClient
}

type ConfigmapResolver

type ConfigmapResolver = NamespacedResourceResolver[*corev1.ConfigMap]

ConfigmapResolver is an abstract interface used to resolve configmaps

type ContextLoader

type ContextLoader interface {
	Load(
		ctx context.Context,
		jp jmespath.Interface,
		client RawClient,
		rclientFactory RegistryClientFactory,
		contextEntries []kyvernov1.ContextEntry,
		jsonContext enginecontext.Interface,
	) error
}

ContextLoader abstracts the mechanics to load context entries in the underlying json context

type ContextLoaderFactory

type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader

ContextLoaderFactory provides a ContextLoader given a policy context and rule name

type Engine

type Engine interface {
	// Validate applies validation rules from policy on the resource
	Validate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// Mutate performs mutation. Overlay first and then mutation patches
	Mutate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// Generate checks for validity of generate rule on the resource
	Generate(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	// VerifyAndPatchImages ...
	VerifyAndPatchImages(
		ctx context.Context,
		policyContext PolicyContext,
	) (EngineResponse, ImageVerificationMetadata)

	// ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource
	// 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)
	//   - the caller has to check the ruleResponse to determine whether the path exist
	//
	// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
	ApplyBackgroundChecks(
		ctx context.Context,
		policyContext PolicyContext,
	) EngineResponse

	ContextLoader(
		policy kyvernov1.PolicyInterface,
		rule kyvernov1.Rule,
	) EngineContextLoader
}

Engine is the main interface to run policies against resources

type EngineContextLoader

type EngineContextLoader = func(ctx context.Context, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface) error

EngineContextLoader provides a function to load context entries from the various clients initialised with the engine ones

type EngineContextLoaderFactory

type EngineContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) EngineContextLoader

EngineContextLoaderFactory provides an EngineContextLoader given a policy and rule name

type EngineResponse

type EngineResponse struct {
	// Resource is the original resource
	Resource unstructured.Unstructured

	// PatchedResource is the resource patched with the engine action changes
	PatchedResource unstructured.Unstructured
	// PolicyResponse contains the engine policy response
	PolicyResponse PolicyResponse
	// contains filtered or unexported fields
}

EngineResponse engine response to the action

func NewEngineResponse

func NewEngineResponse(
	resource unstructured.Unstructured,
	policy GenericPolicy,
	namespaceLabels map[string]string,
) EngineResponse

func NewEngineResponseFromPolicyContext

func NewEngineResponseFromPolicyContext(policyContext PolicyContext) EngineResponse

func (EngineResponse) GetFailedRules

func (er EngineResponse) GetFailedRules() []string

GetFailedRules returns failed rules

func (EngineResponse) GetFailedRulesWithErrors

func (er EngineResponse) GetFailedRulesWithErrors() []string

GetFailedRulesWithErrors returns failed rules with corresponding error messages

func (EngineResponse) GetPatches

func (er EngineResponse) GetPatches() []jsonpatch.JsonPatchOperation

GetPatches returns all the patches joined

func (EngineResponse) GetResourceSpec

func (er EngineResponse) GetResourceSpec() ResourceSpec

GetResourceSpec returns resourceSpec of er

func (EngineResponse) GetSuccessRules

func (er EngineResponse) GetSuccessRules() []string

GetSuccessRules returns success rules

func (EngineResponse) GetValidationFailureAction

func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction

If the policy is of type ValidatingAdmissionPolicy, an empty string is returned.

func (EngineResponse) IsEmpty

func (er EngineResponse) IsEmpty() bool

IsEmpty checks if any rule results are present

func (EngineResponse) IsError

func (er EngineResponse) IsError() bool

IsError checks if any rule resulted in a processing error

func (EngineResponse) IsFailed

func (er EngineResponse) IsFailed() bool

IsFailed checks if any rule created a policy violation

func (EngineResponse) IsNil

func (er EngineResponse) IsNil() bool

isNil checks if rule is an empty rule

func (EngineResponse) IsOneOf

func (er EngineResponse) IsOneOf(status ...RuleStatus) bool

IsOneOf checks if any rule has status in a given list

func (EngineResponse) IsSkipped

func (er EngineResponse) IsSkipped() bool

IsSkipped checks if any rule has skipped resource or not.

func (EngineResponse) IsSuccessful

func (er EngineResponse) IsSuccessful() bool

IsSuccessful checks if any rule has failed or produced an error during execution

func (*EngineResponse) NamespaceLabels

func (er *EngineResponse) NamespaceLabels() map[string]string

func (*EngineResponse) Policy

func (er *EngineResponse) Policy() GenericPolicy

func (EngineResponse) WithNamespaceLabels

func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse

func (EngineResponse) WithPatchedResource

func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse

func (EngineResponse) WithPolicy

func (er EngineResponse) WithPolicy(policy GenericPolicy) EngineResponse

func (EngineResponse) WithPolicyResponse

func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse

func (EngineResponse) WithStats

func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse

type ExcludeFunc

type ExcludeFunc = func(kind, namespace, name string) bool

ExcludeFunc is a function used to determine if a resource is excluded

type ExecutionStats

type ExecutionStats struct {
	// contains filtered or unexported fields
}

ExecutionStats stores the statistics for the single policy/rule application

func NewExecutionStats

func NewExecutionStats(startTime, endTime time.Time) ExecutionStats

func (ExecutionStats) ProcessingTime

func (s ExecutionStats) ProcessingTime() time.Duration

func (ExecutionStats) Time

func (s ExecutionStats) Time() time.Time

func (ExecutionStats) Timestamp

func (s ExecutionStats) Timestamp() int64

type GenericPolicy added in v1.10.5

type GenericPolicy interface {
	// AsKyvernoPolicy returns the kyverno policy
	AsKyvernoPolicy() kyvernov1.PolicyInterface
	// AsValidatingAdmissionPolicy returns the validating admission policy
	AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
	// GetType returns policy type
	GetType() PolicyType
	// GetAPIVersion returns policy API version
	GetAPIVersion() string
	// GetName returns policy name
	GetName() string
	// GetNamespace returns policy namespace
	GetNamespace() string
	// GetKind returns policy kind
	GetKind() string
	// GetResourceVersion returns policy resource version
	GetResourceVersion() string
	// GetAnnotations returns policy annotations
	GetAnnotations() map[string]string
	// IsNamespaced indicates if the policy is namespace scoped
	IsNamespaced() bool
	// MetaObject provides an object compatible with metav1.Object
	MetaObject() metav1.Object
}

GenericPolicy abstracts the policy type (Kyverno policy vs Validating admission policy) It is intended to be used in EngineResponse

func NewKyvernoPolicy added in v1.10.5

func NewKyvernoPolicy(pol kyvernov1.PolicyInterface) GenericPolicy

func NewValidatingAdmissionPolicy added in v1.10.5

func NewValidatingAdmissionPolicy(pol v1alpha1.ValidatingAdmissionPolicy) GenericPolicy

type ImageData added in v1.10.5

type ImageData struct {
	Image         string
	ResolvedImage string
	Registry      string
	Repository    string
	Identifier    string
	Manifest      []byte
	Config        []byte
}

type ImageDataClient added in v1.10.5

type ImageDataClient interface {
	ForRef(ctx context.Context, ref string) (*ImageData, error)
	FetchImageDescriptor(context.Context, string) (*gcrremote.Descriptor, error)
}

type ImageVerificationMetadata

type ImageVerificationMetadata struct {
	Data map[string]ImageVerificationMetadataStatus `json:"data"`
}

func ParseImageMetadata

func ParseImageMetadata(jsonData string) (*ImageVerificationMetadata, error)

func (*ImageVerificationMetadata) Add

func (*ImageVerificationMetadata) ImageVerificationStatus added in v1.12.0

func (ivm *ImageVerificationMetadata) ImageVerificationStatus(image string) ImageVerificationMetadataStatus

func (*ImageVerificationMetadata) IsEmpty

func (ivm *ImageVerificationMetadata) IsEmpty() bool

func (*ImageVerificationMetadata) IsVerified

func (ivm *ImageVerificationMetadata) IsVerified(image string) bool

func (*ImageVerificationMetadata) Merge

func (*ImageVerificationMetadata) Patches

func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([]jsonpatch.JsonPatchOperation, error)

type ImageVerificationMetadataStatus added in v1.12.0

type ImageVerificationMetadataStatus string
const (
	ImageVerificationPass ImageVerificationMetadataStatus = "pass"
	ImageVerificationFail ImageVerificationMetadataStatus = "fail"
	ImageVerificationSkip ImageVerificationMetadataStatus = "skip"
)

type Initializer added in v1.10.1

type Initializer = func(jsonContext enginecontext.Interface) error

type KeychainClient added in v1.10.5

type KeychainClient interface {
	Keychain() authn.Keychain
}

type KyvernoPolicy added in v1.10.5

type KyvernoPolicy struct {
	// contains filtered or unexported fields
}

func (*KyvernoPolicy) AsKyvernoPolicy added in v1.12.0

func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface

func (*KyvernoPolicy) AsValidatingAdmissionPolicy added in v1.12.0

func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy

func (*KyvernoPolicy) GetAPIVersion added in v1.12.0

func (p *KyvernoPolicy) GetAPIVersion() string

func (*KyvernoPolicy) GetAnnotations added in v1.10.5

func (p *KyvernoPolicy) GetAnnotations() map[string]string

func (*KyvernoPolicy) GetKind added in v1.10.5

func (p *KyvernoPolicy) GetKind() string

func (*KyvernoPolicy) GetName added in v1.10.5

func (p *KyvernoPolicy) GetName() string

func (*KyvernoPolicy) GetNamespace added in v1.10.5

func (p *KyvernoPolicy) GetNamespace() string

func (*KyvernoPolicy) GetResourceVersion added in v1.10.5

func (p *KyvernoPolicy) GetResourceVersion() string

func (*KyvernoPolicy) GetType added in v1.10.5

func (p *KyvernoPolicy) GetType() PolicyType

func (*KyvernoPolicy) IsNamespaced added in v1.10.5

func (p *KyvernoPolicy) IsNamespaced() bool

func (*KyvernoPolicy) MetaObject added in v1.10.5

func (p *KyvernoPolicy) MetaObject() metav1.Object

type NamespacedResourceResolver

type NamespacedResourceResolver[T any] interface {
	// Get is used to resolve a resource given a namespace and name
	Get(
		ctx context.Context,
		namespace string,
		name string,
	) (T, error)
}

NamespacedResourceResolver is an abstract interface used to resolve namespaced resources Any implementation might exist, cache based, file based, client based etc...

func NewNamespacedResourceResolver

func NewNamespacedResourceResolver[T any](resolvers ...NamespacedResourceResolver[T]) (NamespacedResourceResolver[T], error)

NewNamespacedResourceResolver creates a NamespacedResourceResolver from a NamespacedResourceResolver chain It will try to resolve resources by iterating over individual resolvers until one finds the requested resource

type NamespacedResourceSelector

type NamespacedResourceSelector[T any] interface {
	// List selects resources based on label selector.
	// Objects returned here must be treated as read-only.
	List(selector labels.Selector) (ret []T, err error)
}

NamespacedResourceSelector is an abstract interface used to list namespaced resources given a label selector Any implementation might exist, cache based, file based, client based etc...

type PodSecurityChecks

type PodSecurityChecks struct {
	// Level is the pod security level
	Level api.Level
	// Version is the pod security version
	Version string
	// Checks contains check result details
	Checks []pssutils.PSSCheckResult
}

PodSecurityChecks details about pod securty checks

type PolicyContext

type PolicyContext interface {
	Policy() kyvernov1.PolicyInterface
	NewResource() unstructured.Unstructured
	OldResource() unstructured.Unstructured
	SetResources(oldResource, newResource unstructured.Unstructured) error
	AdmissionInfo() kyvernov1beta1.RequestInfo
	Operation() kyvernov1.AdmissionOperation
	NamespaceLabels() map[string]string
	RequestResource() metav1.GroupVersionResource
	ResourceKind() (schema.GroupVersionKind, string)
	AdmissionOperation() bool
	Element() unstructured.Unstructured
	SetElement(element unstructured.Unstructured)

	JSONContext() enginecontext.Interface
	Copy() PolicyContext
}

type PolicyExceptionSelector

type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]

PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions

type PolicyResponse

type PolicyResponse struct {

	// Rules contains policy rules responses
	Rules []RuleResponse
	// contains filtered or unexported fields
}

PolicyResponse policy application response

func NewPolicyResponse

func NewPolicyResponse() PolicyResponse

func (*PolicyResponse) Add

func (pr *PolicyResponse) Add(stats ExecutionStats, responses ...RuleResponse)

func (*PolicyResponse) RulesAppliedCount

func (pr *PolicyResponse) RulesAppliedCount() int

func (*PolicyResponse) RulesErrorCount

func (pr *PolicyResponse) RulesErrorCount() int

func (*PolicyResponse) Stats

func (pr *PolicyResponse) Stats() PolicyStats

type PolicyStats

type PolicyStats struct {
	// contains filtered or unexported fields
}

PolicyStats stores statistics for the single policy application

func (*PolicyStats) RulesAppliedCount

func (ps *PolicyStats) RulesAppliedCount() int

func (*PolicyStats) RulesErrorCount

func (ps *PolicyStats) RulesErrorCount() int

type PolicyType added in v1.10.5

type PolicyType string

PolicyType represents the type of a policy

const (
	// KyvernoPolicy type for kyverno policies
	KyvernoPolicyType PolicyType = "KyvernoPolicy"
	// ValidatingAdmissionPolicy for validating admission policies
	ValidatingAdmissionPolicyType PolicyType = "ValidatingAdmissionPolicy"
)

type RawClient added in v1.10.5

type RawClient interface {
	RawAbsPath(ctx context.Context, path string, method string, dataReader io.Reader) ([]byte, error)
}

type RegistryClient added in v1.10.5

type RegistryClient interface {
	ImageDataClient
	KeychainClient
	RemoteClient
}

type RegistryClientFactory added in v1.10.5

type RegistryClientFactory interface {
	GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
}

type RemoteClient added in v1.10.5

type RemoteClient interface {
	Options(context.Context) ([]gcrremote.Option, error)
}

type Resource added in v1.10.5

type Resource struct {
	Group        string
	Version      string
	Resource     string
	SubResource  string
	Unstructured unstructured.Unstructured
}

type ResourceClient added in v1.10.5

type ResourceClient interface {
	GetResource(ctx context.Context, apiVersion, kind, namespace, name string, subresources ...string) (*unstructured.Unstructured, error)
	ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
	GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]Resource, error)
	GetNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Namespace, error)
	IsNamespaced(group, version, kind string) (bool, error)
}

type ResourceSpec

type ResourceSpec struct {
	Kind       string
	APIVersion string
	Namespace  string
	Name       string
	UID        string
}

ResourceSpec resource action applied on

func (ResourceSpec) String

func (rs ResourceSpec) String() string

String implements Stringer interface

type RuleResponse

type RuleResponse struct {
	// contains filtered or unexported fields
}

RuleResponse details for each rule application

func NewRuleResponse

func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse

func RuleError

func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse

func RuleFail

func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse

func RulePass

func RulePass(name string, ruleType RuleType, msg string) *RuleResponse

func RuleSkip

func RuleSkip(name string, ruleType RuleType, msg string) *RuleResponse

func RuleWarn

func RuleWarn(name string, ruleType RuleType, msg string) *RuleResponse

func (*RuleResponse) EmitWarning added in v1.12.0

func (r *RuleResponse) EmitWarning() bool

func (*RuleResponse) Exception

func (*RuleResponse) GeneratedResource

func (r *RuleResponse) GeneratedResource() unstructured.Unstructured

func (*RuleResponse) HasStatus

func (r *RuleResponse) HasStatus(status ...RuleStatus) bool

HasStatus checks if rule status is in a given list

func (*RuleResponse) IsException

func (r *RuleResponse) IsException() bool

func (*RuleResponse) Message

func (r *RuleResponse) Message() string

func (*RuleResponse) Name

func (r *RuleResponse) Name() string

func (*RuleResponse) PatchedTarget

func (*RuleResponse) PodSecurityChecks

func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks

func (*RuleResponse) RuleType

func (r *RuleResponse) RuleType() RuleType

func (*RuleResponse) Stats

func (r *RuleResponse) Stats() ExecutionStats

func (*RuleResponse) Status

func (r *RuleResponse) Status() RuleStatus

func (*RuleResponse) String

func (r *RuleResponse) String() string

String implements Stringer interface

func (*RuleResponse) ValidatingAdmissionPolicyBinding added in v1.12.0

func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding

func (RuleResponse) WithBinding added in v1.12.0

func (RuleResponse) WithEmitWarning added in v1.12.0

func (r RuleResponse) WithEmitWarning(emitWarning bool) *RuleResponse

func (RuleResponse) WithException

func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse

func (RuleResponse) WithGeneratedResource

func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse

func (RuleResponse) WithPatchedTarget

func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, subresource string) *RuleResponse

func (RuleResponse) WithPodSecurityChecks

func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse

func (RuleResponse) WithStats

func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse

type RuleStatus

type RuleStatus string

RuleStatus represents the status of rule execution

const (
	// RuleStatusPass indicates that the resources meets the policy rule requirements
	RuleStatusPass RuleStatus = "pass"
	// RuleStatusFail indicates that the resource does not meet the policy rule requirements
	RuleStatusFail RuleStatus = "fail"
	// RuleStatusWarn indicates that the resource does not meet the policy rule requirements, but the policy is not scored
	RuleStatusWarn RuleStatus = "warning"
	// RuleStatusError indicates that the policy rule could not be evaluated due to a processing error, for
	// example when a variable cannot be resolved  in the policy rule definition. Note that variables
	// that cannot be resolved in preconditions are replaced with empty values to allow existence
	// checks.
	RuleStatusError RuleStatus = "error"
	// RuleStatusSkip indicates that the policy rule was not selected based on user inputs or applicability, for example
	// when preconditions are not met, or when conditional or global anchors are not satisfied.
	RuleStatusSkip RuleStatus = "skip"
)

type RuleType

type RuleType string

RuleType represents the type of a rule

const (
	// Mutation type for mutation rule
	Mutation RuleType = "Mutation"
	// Validation type for validation rule
	Validation RuleType = "Validation"
	// Generation type for generation rule
	Generation RuleType = "Generation"
	// ImageVerify type for image verification
	ImageVerify RuleType = "ImageVerify"
)

type ValidatingAdmissionPolicy added in v1.10.5

type ValidatingAdmissionPolicy struct {
	// contains filtered or unexported fields
}

func (*ValidatingAdmissionPolicy) AsKyvernoPolicy added in v1.12.0

func (*ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy added in v1.12.0

func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy

func (*ValidatingAdmissionPolicy) GetAPIVersion added in v1.12.0

func (p *ValidatingAdmissionPolicy) GetAPIVersion() string

func (*ValidatingAdmissionPolicy) GetAnnotations added in v1.10.5

func (p *ValidatingAdmissionPolicy) GetAnnotations() map[string]string

func (*ValidatingAdmissionPolicy) GetKind added in v1.10.5

func (p *ValidatingAdmissionPolicy) GetKind() string

func (*ValidatingAdmissionPolicy) GetName added in v1.10.5

func (p *ValidatingAdmissionPolicy) GetName() string

func (*ValidatingAdmissionPolicy) GetNamespace added in v1.10.5

func (p *ValidatingAdmissionPolicy) GetNamespace() string

func (*ValidatingAdmissionPolicy) GetResourceVersion added in v1.10.5

func (p *ValidatingAdmissionPolicy) GetResourceVersion() string

func (*ValidatingAdmissionPolicy) GetType added in v1.10.5

func (*ValidatingAdmissionPolicy) IsNamespaced added in v1.10.5

func (p *ValidatingAdmissionPolicy) IsNamespaced() bool

func (*ValidatingAdmissionPolicy) MetaObject added in v1.10.5

func (p *ValidatingAdmissionPolicy) MetaObject() metav1.Object

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL