engine

package
v1.8.1-rc.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2022 License: Apache-2.0 Imports: 56 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	DefaultAnnotationKeyDomain = "cosign.sigstore.dev"
	CosignEnvVariable          = "COSIGN_EXPERIMENTAL"
)

Variables

This section is empty.

Functions

func ApplyBackgroundChecks added in v1.7.0 

func ApplyBackgroundChecks(policyContext *PolicyContext) (resp *response.EngineResponse)

ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)

  • the caller has to check the ruleResponse to determine whether the path exist

2. returns the list of rules that are applicable on this policy and resource, if 1 succeed

func ForceMutate added in v1.2.0 

func ForceMutate(ctx context.Interface, policy kyvernov1.PolicyInterface, resource unstructured.Unstructured) (unstructured.Unstructured, error)

ForceMutate does not check any conditions, it simply mutates the given resource It is used to validate mutation logic, and for tests.

func GenerateResponse added in v1.6.2 

func GenerateResponse(policyContext *PolicyContext, gr kyvernov1beta1.UpdateRequest) (resp *response.EngineResponse)

GenerateResponse checks for validity of generate rule on the resource

func LoadContext added in v1.3.2 

func LoadContext(logger logr.Logger, contextEntries []kyvernov1.ContextEntry, ctx *PolicyContext, ruleName string) error

LoadContext - Fetches and adds external data to the Context.

func ManagedPodResource added in v1.3.0 

func ManagedPodResource(policy kyvernov1.PolicyInterface, resource unstructured.Unstructured) bool

ManagedPodResource returns true: - if the policy has auto-gen annotation && resource == Pod - if the auto-gen contains cronJob && resource == Job

func MatchesResourceDescription added in v0.8.0 

func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyvernov1.Rule, admissionInfoRef kyvernov1beta1.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string, policyNamespace string) error

MatchesResourceDescription checks if the resource matches resource description of the rule or not

func Mutate 

func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse)

Mutate performs mutation. Overlay first and then mutation patches

func Validate 

func Validate(policyContext *PolicyContext) (resp *response.EngineResponse)

Validate applies validation rules from policy on the resource

Types

type EngineStats added in v0.8.0 

type EngineStats struct {
	// average time required to process the policy rules on a resource
	ExecutionTime time.Duration
	// Count of rules that were applied successfully
	RulesAppliedCount int
}

EngineStats stores in the statistics for a single application of resource

type ImageVerificationMetadata added in v1.7.0 

type ImageVerificationMetadata struct {
	Data map[string]bool `json:"data"`
}

func VerifyAndPatchImages added in v1.4.2 

func VerifyAndPatchImages(policyContext *PolicyContext) (*response.EngineResponse, *ImageVerificationMetadata)

func (*ImageVerificationMetadata) IsEmpty added in v1.7.0 

func (ivm *ImageVerificationMetadata) IsEmpty() bool

func (*ImageVerificationMetadata) Merge added in v1.7.0 

func (ivm *ImageVerificationMetadata) Merge(other *ImageVerificationMetadata)

func (*ImageVerificationMetadata) Patches added in v1.7.0 

func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([][]byte, error)

type PolicyContext added in v1.0.0 

type PolicyContext struct {
	// Policy is the policy to be processed
	Policy kyvernov1.PolicyInterface

	// NewResource is the resource to be processed
	NewResource unstructured.Unstructured

	// OldResource is the prior resource for an update, or nil
	OldResource unstructured.Unstructured

	// Element is set when the context is used for processing a foreach loop
	Element unstructured.Unstructured

	// AdmissionInfo contains the admission request information
	AdmissionInfo kyvernov1beta1.RequestInfo

	// Dynamic client - used for api lookups
	Client dclient.Interface

	// Config handler
	ExcludeGroupRole []string

	ExcludeResourceFunc func(kind, namespace, name string) bool

	// JSONContext is the variable context
	JSONContext context.Interface

	// NamespaceLabels stores the label of namespace to be processed by namespace selector
	NamespaceLabels map[string]string

	// AdmissionOperation represents if the caller is from the webhook server
	AdmissionOperation bool
}

PolicyContext contains the contexts for engine to process

func (*PolicyContext) Copy added in v1.5.0 

func (pc *PolicyContext) Copy() *PolicyContext

Source Files

View all Source files

Directories

Path Synopsis
patch
operator

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.