Documentation ¶
Index ¶
- func HandleValidation(promConfig *metrics.PromConfig, request *v1beta1.AdmissionRequest, ...) (bool, string)
- type ArrayFlags
- type AuditHandler
- type WebhookServer
- func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, ...)
- func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, ...) ([]byte, []kyverno.ClusterPolicy, []*response.EngineResponse)
- func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
- func (ws *WebhookServer) RunAsync(stopCh <-chan struct{})
- func (ws *WebhookServer) Stop(ctx context.Context)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HandleValidation ¶ added in v1.2.0
func HandleValidation( promConfig *metrics.PromConfig, request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, patchedResource []byte, ctx *context.Context, userRequestInfo kyverno.RequestInfo, statusListener policystatus.Listener, eventGen event.Interface, prGenerator policyreport.GeneratorInterface, log logr.Logger, dynamicConfig config.Interface, resCache resourcecache.ResourceCache, client *client.Client, namespaceLabels map[string]string, admissionRequestTimestamp int64) (bool, string)
HandleValidation handles validating webhook admission request If there are no errors in validating rule we apply generation rules patchedResource is the (resource + patches) after applying mutation rules
Types ¶
type ArrayFlags ¶ added in v0.4.0
type ArrayFlags []string
ArrayFlags to store filterkinds
func (*ArrayFlags) Set ¶ added in v0.4.0
func (i *ArrayFlags) Set(value string) error
Set setter for array flags
func (*ArrayFlags) String ¶ added in v0.4.0
func (i *ArrayFlags) String() string
type AuditHandler ¶ added in v1.2.0
type AuditHandler interface { Add(request *v1beta1.AdmissionRequest) Run(workers int, stopCh <-chan struct{}) }
AuditHandler applies validate audit policies to the admission request the handler adds the request to the work queue and returns immediately the request is processed in background, with the exact same logic when process the admission request in the webhook
func NewValidateAuditHandler ¶ added in v1.2.0
func NewValidateAuditHandler(pCache policycache.Interface, eventGen event.Interface, statusListener policystatus.Listener, prGenerator policyreport.GeneratorInterface, rbInformer rbacinformer.RoleBindingInformer, crbInformer rbacinformer.ClusterRoleBindingInformer, namespaces informers.NamespaceInformer, log logr.Logger, dynamicConfig config.Interface, resCache resourcecache.ResourceCache, client *client.Client, promConfig *metrics.PromConfig) AuditHandler
NewValidateAuditHandler returns a new instance of audit policy handler
type WebhookServer ¶
type WebhookServer struct {
// contains filtered or unexported fields
}
WebhookServer contains configured TLS server with MutationWebhook.
func NewWebhookServer ¶
func NewWebhookServer( kyvernoClient *kyvernoclient.Clientset, client *client.Client, tlsPair *tlsutils.PemPair, grInformer kyvernoinformer.GenerateRequestInformer, pInformer kyvernoinformer.ClusterPolicyInformer, rbInformer rbacinformer.RoleBindingInformer, crbInformer rbacinformer.ClusterRoleBindingInformer, rInformer rbacinformer.RoleInformer, crInformer rbacinformer.ClusterRoleInformer, namespace informers.NamespaceInformer, eventGen event.Interface, pCache policycache.Interface, webhookRegistrationClient *webhookconfig.Register, webhookMonitor *webhookconfig.Monitor, statusSync policystatus.Listener, configHandler config.Interface, prGenerator policyreport.GeneratorInterface, grGenerator *webhookgenerate.Generator, auditHandler AuditHandler, cleanUp chan<- struct{}, log logr.Logger, openAPIController *openapi.Controller, resCache resourcecache.ResourceCache, grc *generate.Controller, promConfig *metrics.PromConfig, ) (*WebhookServer, error)
NewWebhookServer creates new instance of WebhookServer accordingly to given configuration Policy Controller and Kubernetes Client should be initialized in configuration
func (*WebhookServer) HandleGenerate ¶ added in v1.1.0
func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo, dynamicConfig config.Interface, admissionRequestTimestamp int64, latencySender *chan int64, triggeredGeneratePoliciesSender *chan []kyverno.ClusterPolicy, generateEngineResponsesSender *chan []*response.EngineResponse)
HandleGenerate handles admission-requests for policies with generate rules
func (*WebhookServer) HandleMutation ¶
func (ws *WebhookServer) HandleMutation( request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []*kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo, admissionRequestTimestamp int64) ([]byte, []kyverno.ClusterPolicy, []*response.EngineResponse)
HandleMutation handles mutating webhook admission request return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
func (*WebhookServer) ResourceMutation ¶ added in v1.2.0
func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
ResourceMutation mutates resource
func (*WebhookServer) RunAsync ¶
func (ws *WebhookServer) RunAsync(stopCh <-chan struct{})
RunAsync TLS server in separate thread and returns control immediately
func (*WebhookServer) Stop ¶
func (ws *WebhookServer) Stop(ctx context.Context)
Stop TLS server and returns control after the server is shut down