Documentation ¶
Index ¶
- type AuthClient
- type Client
- type ConfigmapResolver
- type ContextLoader
- type ContextLoaderFactory
- type Engine
- type EngineContextLoader
- type EngineContextLoaderFactory
- type EngineResponse
- func (er EngineResponse) GetFailedRules() []string
- func (er EngineResponse) GetFailedRulesWithErrors() []string
- func (er EngineResponse) GetPatches() []jsonpatch.JsonPatchOperation
- func (er EngineResponse) GetResourceSpec() ResourceSpec
- func (er EngineResponse) GetSuccessRules() []string
- func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
- func (er EngineResponse) IsEmpty() bool
- func (er EngineResponse) IsError() bool
- func (er EngineResponse) IsFailed() bool
- func (er EngineResponse) IsNil() bool
- func (er EngineResponse) IsOneOf(status ...RuleStatus) bool
- func (er EngineResponse) IsSkipped() bool
- func (er EngineResponse) IsSuccessful() bool
- func (er *EngineResponse) NamespaceLabels() map[string]string
- func (er *EngineResponse) Policy() GenericPolicy
- func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse
- func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse
- func (er EngineResponse) WithPolicy(policy GenericPolicy) EngineResponse
- func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse
- func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse
- type ExcludeFunc
- type ExecutionStats
- type GenericPolicy
- type ImageData
- type ImageDataClient
- type ImageVerificationMetadata
- func (ivm *ImageVerificationMetadata) Add(image string, verified ImageVerificationMetadataStatus)
- func (ivm *ImageVerificationMetadata) ImageVerificationStatus(image string) ImageVerificationMetadataStatus
- func (ivm *ImageVerificationMetadata) IsEmpty() bool
- func (ivm *ImageVerificationMetadata) IsVerified(image string) bool
- func (ivm *ImageVerificationMetadata) Merge(other ImageVerificationMetadata)
- func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([]jsonpatch.JsonPatchOperation, error)
- type ImageVerificationMetadataStatus
- type Initializer
- type KeychainClient
- type KyvernoPolicy
- func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface
- func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
- func (p *KyvernoPolicy) GetAPIVersion() string
- func (p *KyvernoPolicy) GetAnnotations() map[string]string
- func (p *KyvernoPolicy) GetKind() string
- func (p *KyvernoPolicy) GetName() string
- func (p *KyvernoPolicy) GetNamespace() string
- func (p *KyvernoPolicy) GetResourceVersion() string
- func (p *KyvernoPolicy) GetType() PolicyType
- func (p *KyvernoPolicy) IsNamespaced() bool
- func (p *KyvernoPolicy) MetaObject() metav1.Object
- type NamespacedResourceResolver
- type NamespacedResourceSelector
- type PodSecurityChecks
- type PolicyContext
- type PolicyExceptionSelector
- type PolicyResponse
- type PolicyStats
- type PolicyType
- type RawClient
- type RegistryClient
- type RegistryClientFactory
- type RemoteClient
- type Resource
- type ResourceClient
- type ResourceSpec
- type RuleResponse
- func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse
- func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse
- func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse
- func RulePass(name string, ruleType RuleType, msg string) *RuleResponse
- func RuleSkip(name string, ruleType RuleType, msg string) *RuleResponse
- func RuleWarn(name string, ruleType RuleType, msg string) *RuleResponse
- func (r *RuleResponse) EmitWarning() bool
- func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException
- func (r *RuleResponse) GeneratedResource() unstructured.Unstructured
- func (r *RuleResponse) HasStatus(status ...RuleStatus) bool
- func (r *RuleResponse) IsException() bool
- func (r *RuleResponse) Message() string
- func (r *RuleResponse) Name() string
- func (r *RuleResponse) PatchedTarget() (*unstructured.Unstructured, metav1.GroupVersionResource, string)
- func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks
- func (r *RuleResponse) RuleType() RuleType
- func (r *RuleResponse) Stats() ExecutionStats
- func (r *RuleResponse) Status() RuleStatus
- func (r *RuleResponse) String() string
- func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding
- func (r RuleResponse) WithBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding) *RuleResponse
- func (r RuleResponse) WithEmitWarning(emitWarning bool) *RuleResponse
- func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse
- func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse
- func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, ...) *RuleResponse
- func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse
- func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse
- type RuleStatus
- type RuleType
- type ValidatingAdmissionPolicy
- func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface
- func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
- func (p *ValidatingAdmissionPolicy) GetAPIVersion() string
- func (p *ValidatingAdmissionPolicy) GetAnnotations() map[string]string
- func (p *ValidatingAdmissionPolicy) GetKind() string
- func (p *ValidatingAdmissionPolicy) GetName() string
- func (p *ValidatingAdmissionPolicy) GetNamespace() string
- func (p *ValidatingAdmissionPolicy) GetResourceVersion() string
- func (p *ValidatingAdmissionPolicy) GetType() PolicyType
- func (p *ValidatingAdmissionPolicy) IsNamespaced() bool
- func (p *ValidatingAdmissionPolicy) MetaObject() metav1.Object
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthClient ¶ added in v1.10.5
type Client ¶ added in v1.10.5
type Client interface { RawClient AuthClient ResourceClient }
type ConfigmapResolver ¶
type ConfigmapResolver = NamespacedResourceResolver[*corev1.ConfigMap]
ConfigmapResolver is an abstract interface used to resolve configmaps
type ContextLoader ¶
type ContextLoader interface { Load( ctx context.Context, jp jmespath.Interface, client RawClient, rclientFactory RegistryClientFactory, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface, ) error }
ContextLoader abstracts the mechanics to load context entries in the underlying json context
type ContextLoaderFactory ¶
type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader
ContextLoaderFactory provides a ContextLoader given a policy context and rule name
type Engine ¶
type Engine interface { // Validate applies validation rules from policy on the resource Validate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // Mutate performs mutation. Overlay first and then mutation patches Mutate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // Generate checks for validity of generate rule on the resource Generate( ctx context.Context, policyContext PolicyContext, ) EngineResponse // VerifyAndPatchImages ... VerifyAndPatchImages( ctx context.Context, policyContext PolicyContext, ) (EngineResponse, ImageVerificationMetadata) // ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource // 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition) // - the caller has to check the ruleResponse to determine whether the path exist // // 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed ApplyBackgroundChecks( ctx context.Context, policyContext PolicyContext, ) EngineResponse ContextLoader( policy kyvernov1.PolicyInterface, rule kyvernov1.Rule, ) EngineContextLoader }
Engine is the main interface to run policies against resources
type EngineContextLoader ¶
type EngineContextLoader = func(ctx context.Context, contextEntries []kyvernov1.ContextEntry, jsonContext enginecontext.Interface) error
EngineContextLoader provides a function to load context entries from the various clients initialised with the engine ones
type EngineContextLoaderFactory ¶
type EngineContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) EngineContextLoader
EngineContextLoaderFactory provides an EngineContextLoader given a policy and rule name
type EngineResponse ¶
type EngineResponse struct { // Resource is the original resource Resource unstructured.Unstructured // PatchedResource is the resource patched with the engine action changes PatchedResource unstructured.Unstructured // PolicyResponse contains the engine policy response PolicyResponse PolicyResponse // contains filtered or unexported fields }
EngineResponse engine response to the action
func NewEngineResponse ¶
func NewEngineResponse( resource unstructured.Unstructured, policy GenericPolicy, namespaceLabels map[string]string, ) EngineResponse
func NewEngineResponseFromPolicyContext ¶
func NewEngineResponseFromPolicyContext(policyContext PolicyContext) EngineResponse
func (EngineResponse) GetFailedRules ¶
func (er EngineResponse) GetFailedRules() []string
GetFailedRules returns failed rules
func (EngineResponse) GetFailedRulesWithErrors ¶
func (er EngineResponse) GetFailedRulesWithErrors() []string
GetFailedRulesWithErrors returns failed rules with corresponding error messages
func (EngineResponse) GetPatches ¶
func (er EngineResponse) GetPatches() []jsonpatch.JsonPatchOperation
GetPatches returns all the patches joined
func (EngineResponse) GetResourceSpec ¶
func (er EngineResponse) GetResourceSpec() ResourceSpec
GetResourceSpec returns resourceSpec of er
func (EngineResponse) GetSuccessRules ¶
func (er EngineResponse) GetSuccessRules() []string
GetSuccessRules returns success rules
func (EngineResponse) GetValidationFailureAction ¶
func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction
If the policy is of type ValidatingAdmissionPolicy, an empty string is returned.
func (EngineResponse) IsEmpty ¶
func (er EngineResponse) IsEmpty() bool
IsEmpty checks if any rule results are present
func (EngineResponse) IsError ¶
func (er EngineResponse) IsError() bool
IsError checks if any rule resulted in a processing error
func (EngineResponse) IsFailed ¶
func (er EngineResponse) IsFailed() bool
IsFailed checks if any rule created a policy violation
func (EngineResponse) IsNil ¶
func (er EngineResponse) IsNil() bool
isNil checks if rule is an empty rule
func (EngineResponse) IsOneOf ¶
func (er EngineResponse) IsOneOf(status ...RuleStatus) bool
IsOneOf checks if any rule has status in a given list
func (EngineResponse) IsSkipped ¶
func (er EngineResponse) IsSkipped() bool
IsSkipped checks if any rule has skipped resource or not.
func (EngineResponse) IsSuccessful ¶
func (er EngineResponse) IsSuccessful() bool
IsSuccessful checks if any rule has failed or produced an error during execution
func (*EngineResponse) NamespaceLabels ¶
func (er *EngineResponse) NamespaceLabels() map[string]string
func (*EngineResponse) Policy ¶
func (er *EngineResponse) Policy() GenericPolicy
func (EngineResponse) WithNamespaceLabels ¶
func (er EngineResponse) WithNamespaceLabels(namespaceLabels map[string]string) EngineResponse
func (EngineResponse) WithPatchedResource ¶
func (er EngineResponse) WithPatchedResource(patchedResource unstructured.Unstructured) EngineResponse
func (EngineResponse) WithPolicy ¶
func (er EngineResponse) WithPolicy(policy GenericPolicy) EngineResponse
func (EngineResponse) WithPolicyResponse ¶
func (er EngineResponse) WithPolicyResponse(policyResponse PolicyResponse) EngineResponse
func (EngineResponse) WithStats ¶
func (r EngineResponse) WithStats(stats ExecutionStats) EngineResponse
type ExcludeFunc ¶
ExcludeFunc is a function used to determine if a resource is excluded
type ExecutionStats ¶
type ExecutionStats struct {
// contains filtered or unexported fields
}
ExecutionStats stores the statistics for the single policy/rule application
func NewExecutionStats ¶
func NewExecutionStats(startTime, endTime time.Time) ExecutionStats
func (ExecutionStats) ProcessingTime ¶
func (s ExecutionStats) ProcessingTime() time.Duration
func (ExecutionStats) Time ¶
func (s ExecutionStats) Time() time.Time
func (ExecutionStats) Timestamp ¶
func (s ExecutionStats) Timestamp() int64
type GenericPolicy ¶ added in v1.10.5
type GenericPolicy interface { // AsKyvernoPolicy returns the kyverno policy AsKyvernoPolicy() kyvernov1.PolicyInterface // AsValidatingAdmissionPolicy returns the validating admission policy AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy // GetType returns policy type GetType() PolicyType // GetAPIVersion returns policy API version GetAPIVersion() string // GetName returns policy name GetName() string // GetNamespace returns policy namespace GetNamespace() string // GetKind returns policy kind GetKind() string // GetResourceVersion returns policy resource version GetResourceVersion() string // GetAnnotations returns policy annotations GetAnnotations() map[string]string // IsNamespaced indicates if the policy is namespace scoped IsNamespaced() bool // MetaObject provides an object compatible with metav1.Object MetaObject() metav1.Object }
GenericPolicy abstracts the policy type (Kyverno policy vs Validating admission policy) It is intended to be used in EngineResponse
func NewKyvernoPolicy ¶ added in v1.10.5
func NewKyvernoPolicy(pol kyvernov1.PolicyInterface) GenericPolicy
func NewValidatingAdmissionPolicy ¶ added in v1.10.5
func NewValidatingAdmissionPolicy(pol v1alpha1.ValidatingAdmissionPolicy) GenericPolicy
type ImageDataClient ¶ added in v1.10.5
type ImageVerificationMetadata ¶
type ImageVerificationMetadata struct {
Data map[string]ImageVerificationMetadataStatus `json:"data"`
}
func ParseImageMetadata ¶
func ParseImageMetadata(jsonData string) (*ImageVerificationMetadata, error)
func (*ImageVerificationMetadata) Add ¶
func (ivm *ImageVerificationMetadata) Add(image string, verified ImageVerificationMetadataStatus)
func (*ImageVerificationMetadata) ImageVerificationStatus ¶ added in v1.12.0
func (ivm *ImageVerificationMetadata) ImageVerificationStatus(image string) ImageVerificationMetadataStatus
func (*ImageVerificationMetadata) IsEmpty ¶
func (ivm *ImageVerificationMetadata) IsEmpty() bool
func (*ImageVerificationMetadata) IsVerified ¶
func (ivm *ImageVerificationMetadata) IsVerified(image string) bool
func (*ImageVerificationMetadata) Merge ¶
func (ivm *ImageVerificationMetadata) Merge(other ImageVerificationMetadata)
type ImageVerificationMetadataStatus ¶ added in v1.12.0
type ImageVerificationMetadataStatus string
const ( ImageVerificationPass ImageVerificationMetadataStatus = "pass" ImageVerificationFail ImageVerificationMetadataStatus = "fail" ImageVerificationSkip ImageVerificationMetadataStatus = "skip" )
type Initializer ¶ added in v1.10.1
type Initializer = func(jsonContext enginecontext.Interface) error
type KeychainClient ¶ added in v1.10.5
type KyvernoPolicy ¶ added in v1.10.5
type KyvernoPolicy struct {
// contains filtered or unexported fields
}
func (*KyvernoPolicy) AsKyvernoPolicy ¶ added in v1.12.0
func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface
func (*KyvernoPolicy) AsValidatingAdmissionPolicy ¶ added in v1.12.0
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
func (*KyvernoPolicy) GetAPIVersion ¶ added in v1.12.0
func (p *KyvernoPolicy) GetAPIVersion() string
func (*KyvernoPolicy) GetAnnotations ¶ added in v1.10.5
func (p *KyvernoPolicy) GetAnnotations() map[string]string
func (*KyvernoPolicy) GetKind ¶ added in v1.10.5
func (p *KyvernoPolicy) GetKind() string
func (*KyvernoPolicy) GetName ¶ added in v1.10.5
func (p *KyvernoPolicy) GetName() string
func (*KyvernoPolicy) GetNamespace ¶ added in v1.10.5
func (p *KyvernoPolicy) GetNamespace() string
func (*KyvernoPolicy) GetResourceVersion ¶ added in v1.10.5
func (p *KyvernoPolicy) GetResourceVersion() string
func (*KyvernoPolicy) GetType ¶ added in v1.10.5
func (p *KyvernoPolicy) GetType() PolicyType
func (*KyvernoPolicy) IsNamespaced ¶ added in v1.10.5
func (p *KyvernoPolicy) IsNamespaced() bool
func (*KyvernoPolicy) MetaObject ¶ added in v1.10.5
func (p *KyvernoPolicy) MetaObject() metav1.Object
type NamespacedResourceResolver ¶
type NamespacedResourceResolver[T any] interface { // Get is used to resolve a resource given a namespace and name Get( ctx context.Context, namespace string, name string, ) (T, error) }
NamespacedResourceResolver is an abstract interface used to resolve namespaced resources Any implementation might exist, cache based, file based, client based etc...
func NewNamespacedResourceResolver ¶
func NewNamespacedResourceResolver[T any](resolvers ...NamespacedResourceResolver[T]) (NamespacedResourceResolver[T], error)
NewNamespacedResourceResolver creates a NamespacedResourceResolver from a NamespacedResourceResolver chain It will try to resolve resources by iterating over individual resolvers until one finds the requested resource
type NamespacedResourceSelector ¶
type NamespacedResourceSelector[T any] interface { // List selects resources based on label selector. // Objects returned here must be treated as read-only. List(selector labels.Selector) (ret []T, err error) }
NamespacedResourceSelector is an abstract interface used to list namespaced resources given a label selector Any implementation might exist, cache based, file based, client based etc...
type PodSecurityChecks ¶
type PodSecurityChecks struct { // Level is the pod security level Level api.Level // Version is the pod security version Version string // Checks contains check result details Checks []pssutils.PSSCheckResult }
PodSecurityChecks details about pod securty checks
type PolicyContext ¶
type PolicyContext interface { Policy() kyvernov1.PolicyInterface NewResource() unstructured.Unstructured OldResource() unstructured.Unstructured SetResources(oldResource, newResource unstructured.Unstructured) error AdmissionInfo() kyvernov1beta1.RequestInfo Operation() kyvernov1.AdmissionOperation NamespaceLabels() map[string]string RequestResource() metav1.GroupVersionResource ResourceKind() (schema.GroupVersionKind, string) AdmissionOperation() bool Element() unstructured.Unstructured SetElement(element unstructured.Unstructured) JSONContext() enginecontext.Interface Copy() PolicyContext }
type PolicyExceptionSelector ¶
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]
PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
type PolicyResponse ¶
type PolicyResponse struct { // Rules contains policy rules responses Rules []RuleResponse // contains filtered or unexported fields }
PolicyResponse policy application response
func NewPolicyResponse ¶
func NewPolicyResponse() PolicyResponse
func (*PolicyResponse) Add ¶
func (pr *PolicyResponse) Add(stats ExecutionStats, responses ...RuleResponse)
func (*PolicyResponse) RulesAppliedCount ¶
func (pr *PolicyResponse) RulesAppliedCount() int
func (*PolicyResponse) RulesErrorCount ¶
func (pr *PolicyResponse) RulesErrorCount() int
func (*PolicyResponse) Stats ¶
func (pr *PolicyResponse) Stats() PolicyStats
type PolicyStats ¶
type PolicyStats struct {
// contains filtered or unexported fields
}
PolicyStats stores statistics for the single policy application
func (*PolicyStats) RulesAppliedCount ¶
func (ps *PolicyStats) RulesAppliedCount() int
func (*PolicyStats) RulesErrorCount ¶
func (ps *PolicyStats) RulesErrorCount() int
type PolicyType ¶ added in v1.10.5
type PolicyType string
PolicyType represents the type of a policy
const ( // KyvernoPolicy type for kyverno policies KyvernoPolicyType PolicyType = "KyvernoPolicy" // ValidatingAdmissionPolicy for validating admission policies ValidatingAdmissionPolicyType PolicyType = "ValidatingAdmissionPolicy" )
type RegistryClient ¶ added in v1.10.5
type RegistryClient interface { ImageDataClient KeychainClient RemoteClient }
type RegistryClientFactory ¶ added in v1.10.5
type RegistryClientFactory interface {
GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
}
type RemoteClient ¶ added in v1.10.5
type Resource ¶ added in v1.10.5
type Resource struct { Group string Version string Resource string SubResource string Unstructured unstructured.Unstructured }
type ResourceClient ¶ added in v1.10.5
type ResourceClient interface { GetResource(ctx context.Context, apiVersion, kind, namespace, name string, subresources ...string) (*unstructured.Unstructured, error) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]Resource, error) GetNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Namespace, error) IsNamespaced(group, version, kind string) (bool, error) }
type ResourceSpec ¶
ResourceSpec resource action applied on
func (ResourceSpec) String ¶
func (rs ResourceSpec) String() string
String implements Stringer interface
type RuleResponse ¶
type RuleResponse struct {
// contains filtered or unexported fields
}
RuleResponse details for each rule application
func NewRuleResponse ¶
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse
func RuleError ¶
func RuleError(name string, ruleType RuleType, msg string, err error) *RuleResponse
func (*RuleResponse) EmitWarning ¶ added in v1.12.0
func (r *RuleResponse) EmitWarning() bool
func (*RuleResponse) Exception ¶
func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException
func (*RuleResponse) GeneratedResource ¶
func (r *RuleResponse) GeneratedResource() unstructured.Unstructured
func (*RuleResponse) HasStatus ¶
func (r *RuleResponse) HasStatus(status ...RuleStatus) bool
HasStatus checks if rule status is in a given list
func (*RuleResponse) IsException ¶
func (r *RuleResponse) IsException() bool
func (*RuleResponse) Message ¶
func (r *RuleResponse) Message() string
func (*RuleResponse) Name ¶
func (r *RuleResponse) Name() string
func (*RuleResponse) PatchedTarget ¶
func (r *RuleResponse) PatchedTarget() (*unstructured.Unstructured, metav1.GroupVersionResource, string)
func (*RuleResponse) PodSecurityChecks ¶
func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks
func (*RuleResponse) RuleType ¶
func (r *RuleResponse) RuleType() RuleType
func (*RuleResponse) Stats ¶
func (r *RuleResponse) Stats() ExecutionStats
func (*RuleResponse) Status ¶
func (r *RuleResponse) Status() RuleStatus
func (*RuleResponse) String ¶
func (r *RuleResponse) String() string
String implements Stringer interface
func (*RuleResponse) ValidatingAdmissionPolicyBinding ¶ added in v1.12.0
func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding
func (RuleResponse) WithBinding ¶ added in v1.12.0
func (r RuleResponse) WithBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding) *RuleResponse
func (RuleResponse) WithEmitWarning ¶ added in v1.12.0
func (r RuleResponse) WithEmitWarning(emitWarning bool) *RuleResponse
func (RuleResponse) WithException ¶
func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse
func (RuleResponse) WithGeneratedResource ¶
func (r RuleResponse) WithGeneratedResource(resource unstructured.Unstructured) *RuleResponse
func (RuleResponse) WithPatchedTarget ¶
func (r RuleResponse) WithPatchedTarget(patchedTarget *unstructured.Unstructured, gvr metav1.GroupVersionResource, subresource string) *RuleResponse
func (RuleResponse) WithPodSecurityChecks ¶
func (r RuleResponse) WithPodSecurityChecks(checks PodSecurityChecks) *RuleResponse
func (RuleResponse) WithStats ¶
func (r RuleResponse) WithStats(stats ExecutionStats) RuleResponse
type RuleStatus ¶
type RuleStatus string
RuleStatus represents the status of rule execution
const ( // RuleStatusPass indicates that the resources meets the policy rule requirements RuleStatusPass RuleStatus = "pass" // RuleStatusFail indicates that the resource does not meet the policy rule requirements RuleStatusFail RuleStatus = "fail" // RuleStatusWarn indicates that the resource does not meet the policy rule requirements, but the policy is not scored RuleStatusWarn RuleStatus = "warning" // RuleStatusError indicates that the policy rule could not be evaluated due to a processing error, for // example when a variable cannot be resolved in the policy rule definition. Note that variables // that cannot be resolved in preconditions are replaced with empty values to allow existence // checks. RuleStatusError RuleStatus = "error" // RuleStatusSkip indicates that the policy rule was not selected based on user inputs or applicability, for example // when preconditions are not met, or when conditional or global anchors are not satisfied. RuleStatusSkip RuleStatus = "skip" )
type RuleType ¶
type RuleType string
RuleType represents the type of a rule
const ( // Mutation type for mutation rule Mutation RuleType = "Mutation" // Validation type for validation rule Validation RuleType = "Validation" // Generation type for generation rule Generation RuleType = "Generation" // ImageVerify type for image verification ImageVerify RuleType = "ImageVerify" )
type ValidatingAdmissionPolicy ¶ added in v1.10.5
type ValidatingAdmissionPolicy struct {
// contains filtered or unexported fields
}
func (*ValidatingAdmissionPolicy) AsKyvernoPolicy ¶ added in v1.12.0
func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface
func (*ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy ¶ added in v1.12.0
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
func (*ValidatingAdmissionPolicy) GetAPIVersion ¶ added in v1.12.0
func (p *ValidatingAdmissionPolicy) GetAPIVersion() string
func (*ValidatingAdmissionPolicy) GetAnnotations ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetAnnotations() map[string]string
func (*ValidatingAdmissionPolicy) GetKind ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetKind() string
func (*ValidatingAdmissionPolicy) GetName ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetName() string
func (*ValidatingAdmissionPolicy) GetNamespace ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetNamespace() string
func (*ValidatingAdmissionPolicy) GetResourceVersion ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetResourceVersion() string
func (*ValidatingAdmissionPolicy) GetType ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) GetType() PolicyType
func (*ValidatingAdmissionPolicy) IsNamespaced ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) IsNamespaced() bool
func (*ValidatingAdmissionPolicy) MetaObject ¶ added in v1.10.5
func (p *ValidatingAdmissionPolicy) MetaObject() metav1.Object