engine

package
v1.6.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2022 License: Apache-2.0 Imports: 34 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// PodControllerCronJob represent CronJob string
	PodControllerCronJob = "CronJob"
	//PodControllers stores the list of Pod-controllers in csv string
	PodControllers = "DaemonSet,Deployment,Job,StatefulSet,CronJob"
	//PodControllersAnnotation defines the annotation key for Pod-Controllers
	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
)

Variables

This section is empty.

Functions

func ForceMutate added in v1.2.0 

func ForceMutate(ctx *context.Context, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error)

ForceMutate does not check any conditions, it simply mutates the given resource It is used to validate mutation logic, and for tests.

func Generate 

func Generate(policyContext *PolicyContext) (resp *response.EngineResponse)

Generate checks for validity of generate rule on the resource 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)

  • the caller has to check the ruleResponse to determine whether the path exist

2. returns the list of rules that are applicable on this policy and resource, if 1 succeed

func LoadContext added in v1.3.2 

func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx *PolicyContext, ruleName string) error

LoadContext - Fetches and adds external data to the Context.

func ManagedPodResource added in v1.3.0 

func ManagedPodResource(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) bool

ManagedPodResource returns true: - if the policy has auto-gen annotation && resource == Pod - if the auto-gen contains cronJob && resource == Job

func MatchesResourceDescription added in v0.8.0 

func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string, policyNamespace string) error

MatchesResourceDescription checks if the resource matches resource description of the rule or not

func Mutate 

func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse)

Mutate performs mutation. Overlay first and then mutation patches

func Validate 

func Validate(policyContext *PolicyContext) (resp *response.EngineResponse)

Validate applies validation rules from policy on the resource

func VerifyAndPatchImages added in v1.4.2 

func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineResponse)

Types

type APIPath added in v1.3.2 

type APIPath struct {
	Root         string
	Group        string
	Version      string
	ResourceType string
	Name         string
	Namespace    string
}

func NewAPIPath added in v1.3.2 

func NewAPIPath(path string) (*APIPath, error)

NewAPIPath validates and parses an API path. See: https://kubernetes.io/docs/reference/using-api/api-concepts/

func (*APIPath) String added in v1.3.2 

func (a *APIPath) String() string

type EngineStats added in v0.8.0 

type EngineStats struct {
	// average time required to process the policy rules on a resource
	ExecutionTime time.Duration
	// Count of rules that were applied successfully
	RulesAppliedCount int
}

EngineStats stores in the statistics for a single application of resource

type PolicyContext added in v1.0.0 

type PolicyContext struct {

	// Policy is the policy to be processed
	Policy kyverno.ClusterPolicy

	// NewResource is the resource to be processed
	NewResource unstructured.Unstructured

	// OldResource is the prior resource for an update, or nil
	OldResource unstructured.Unstructured

	// Element is set when the context is used for processing a foreach loop
	Element unstructured.Unstructured

	// AdmissionInfo contains the admission request information
	AdmissionInfo kyverno.RequestInfo

	// Dynamic client - used by generate
	Client *client.Client

	// Config handler
	ExcludeGroupRole []string

	ExcludeResourceFunc func(kind, namespace, name string) bool

	// JSONContext is the variable context
	JSONContext *context.Context

	// NamespaceLabels stores the label of namespace to be processed by namespace selector
	NamespaceLabels map[string]string
}

PolicyContext contains the contexts for engine to process

func (*PolicyContext) Copy added in v1.5.0 

func (pc *PolicyContext) Copy() *PolicyContext

Source Files

View all Source files

Directories

Path Synopsis
patch
operator

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.