engine

package
v1.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 9, 2023 License: Apache-2.0 Imports: 62 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	DefaultAnnotationKeyDomain = "cosign.sigstore.dev"
	CosignEnvVariable          = "COSIGN_EXPERIMENTAL"
)

Variables

This section is empty.

Functions

func ApplyBackgroundChecks added in v1.7.0 

func ApplyBackgroundChecks(rclient registryclient.Client, policyContext *PolicyContext) (resp *response.EngineResponse)

ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)

  • the caller has to check the ruleResponse to determine whether the path exist

2. returns the list of rules that are applicable on this policy and resource, if 1 succeed

func ForceMutate added in v1.2.0 

func ForceMutate(ctx context.Interface, policy kyvernov1.PolicyInterface, resource unstructured.Unstructured) (unstructured.Unstructured, error)

ForceMutate does not check any conditions, it simply mutates the given resource It is used to validate mutation logic, and for tests.

func GenerateResponse added in v1.6.2 

func GenerateResponse(rclient registryclient.Client, policyContext *PolicyContext, gr kyvernov1beta1.UpdateRequest) (resp *response.EngineResponse)

GenerateResponse checks for validity of generate rule on the resource

func GetSubresourceGVKToAPIResourceMap added in v1.9.0 

func GetSubresourceGVKToAPIResourceMap(kindsInPolicy []string, ctx *PolicyContext) map[string]*metav1.APIResource

GetSubresourceGVKToAPIResourceMap returns a map of subresource GVK to APIResource. This is used to determine if a resource is a subresource.

func LoadContext added in v1.3.2 

func LoadContext(ctx context.Context, logger logr.Logger, rclient registryclient.Client, contextEntries []kyvernov1.ContextEntry, enginectx *PolicyContext, ruleName string) error

LoadContext - Fetches and adds external data to the Context.

func ManagedPodResource added in v1.3.0 

func ManagedPodResource(policy kyvernov1.PolicyInterface, resource unstructured.Unstructured) bool

ManagedPodResource returns true: - if the policy has auto-gen annotation && resource == Pod - if the auto-gen contains cronJob && resource == Job

func MatchesResourceDescription added in v0.8.0 

func MatchesResourceDescription(subresourceGVKToAPIResource map[string]*metav1.APIResource, resourceRef unstructured.Unstructured, ruleRef kyvernov1.Rule, admissionInfoRef kyvernov1beta1.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string, policyNamespace, subresourceInAdmnReview string) error

MatchesResourceDescription checks if the resource matches resource description of the rule or not

func Mutate 

func Mutate(ctx context.Context, rclient registryclient.Client, policyContext *PolicyContext) (resp *response.EngineResponse)

Mutate performs mutation. Overlay first and then mutation patches

func Validate 

func Validate(ctx context.Context, rclient registryclient.Client, policyContext *PolicyContext) (resp *response.EngineResponse)

Validate applies validation rules from policy on the resource

Types

type EngineStats added in v0.8.0 

type EngineStats struct {
	// average time required to process the policy rules on a resource
	ExecutionTime time.Duration
	// Count of rules that were applied successfully
	RulesAppliedCount int
}

EngineStats stores in the statistics for a single application of resource

type ExcludeFunc added in v1.9.0 

type ExcludeFunc = func(kind, namespace, name string) bool

ExcludeFunc is a function used to determine if a resource is excluded

type ImageVerificationMetadata added in v1.7.0 

type ImageVerificationMetadata struct {
	Data map[string]bool `json:"data"`
}

func VerifyAndPatchImages added in v1.4.2 

func VerifyAndPatchImages(
	ctx context.Context,
	rclient registryclient.Client,
	policyContext *PolicyContext,
) (*response.EngineResponse, *ImageVerificationMetadata)

func (*ImageVerificationMetadata) IsEmpty added in v1.7.0 

func (ivm *ImageVerificationMetadata) IsEmpty() bool

func (*ImageVerificationMetadata) Merge added in v1.7.0 

func (ivm *ImageVerificationMetadata) Merge(other *ImageVerificationMetadata)

func (*ImageVerificationMetadata) Patches added in v1.7.0 

func (ivm *ImageVerificationMetadata) Patches(hasAnnotations bool, log logr.Logger) ([][]byte, error)

type PolicyContext added in v1.0.0 

type PolicyContext struct {
	// contains filtered or unexported fields
}

PolicyContext contains the contexts for engine to process

func NewPolicyContext added in v1.9.0 

func NewPolicyContext() *PolicyContext

func NewPolicyContextFromAdmissionRequest added in v1.9.0 

func NewPolicyContextFromAdmissionRequest(
	request *admissionv1.AdmissionRequest,
	admissionInfo kyvernov1beta1.RequestInfo,
	configuration config.Configuration,
	client dclient.Interface,
	informerCacheResolver resolvers.ConfigmapResolver,
	polexLister PolicyExceptionLister,
) (*PolicyContext, error)

func NewPolicyContextWithJsonContext added in v1.9.0 

func NewPolicyContextWithJsonContext(jsonContext enginectx.Interface) *PolicyContext

Constructors

func (*PolicyContext) AdmissionInfo added in v1.0.0 

func (c *PolicyContext) AdmissionInfo() kyvernov1beta1.RequestInfo

func (PolicyContext) Copy added in v1.5.0 

func (c PolicyContext) Copy() *PolicyContext

func (*PolicyContext) FindExceptions added in v1.9.0 

func (c *PolicyContext) FindExceptions(rule string) ([]*kyvernov2alpha1.PolicyException, error)

func (*PolicyContext) JSONContext added in v1.2.0 

func (c *PolicyContext) JSONContext() enginectx.Interface

func (*PolicyContext) NamespaceLabels added in v1.3.2 

func (c *PolicyContext) NamespaceLabels() map[string]string

func (*PolicyContext) NewResource added in v1.0.0 

func (c *PolicyContext) NewResource() unstructured.Unstructured

func (*PolicyContext) OldResource added in v1.0.0 

func (c *PolicyContext) OldResource() unstructured.Unstructured

func (*PolicyContext) Policy added in v1.0.0 

func (c *PolicyContext) Policy() kyvernov1.PolicyInterface

func (*PolicyContext) WithAdmissionInfo added in v1.9.0 

func (c *PolicyContext) WithAdmissionInfo(admissionInfo kyvernov1beta1.RequestInfo) *PolicyContext

func (*PolicyContext) WithAdmissionOperation added in v1.9.0 

func (c *PolicyContext) WithAdmissionOperation(admissionOperation bool) *PolicyContext

func (*PolicyContext) WithClient added in v1.9.0 

func (c *PolicyContext) WithClient(client dclient.Interface) *PolicyContext

func (*PolicyContext) WithConfiguration added in v1.9.0 

func (c *PolicyContext) WithConfiguration(configuration config.Configuration) *PolicyContext

func (*PolicyContext) WithExceptions added in v1.9.0 

func (c *PolicyContext) WithExceptions(peLister PolicyExceptionLister) *PolicyContext

func (*PolicyContext) WithExcludeGroupRole added in v1.9.0 

func (c *PolicyContext) WithExcludeGroupRole(excludeGroupRole ...string) *PolicyContext

func (*PolicyContext) WithExcludeResourceFunc added in v1.9.0 

func (c *PolicyContext) WithExcludeResourceFunc(excludeResourceFunc ExcludeFunc) *PolicyContext

func (*PolicyContext) WithInformerCacheResolver added in v1.9.0 

func (c *PolicyContext) WithInformerCacheResolver(informerCacheResolver resolvers.ConfigmapResolver) *PolicyContext

func (*PolicyContext) WithNamespaceLabels added in v1.9.0 

func (c *PolicyContext) WithNamespaceLabels(namespaceLabels map[string]string) *PolicyContext

func (*PolicyContext) WithNewResource added in v1.9.0 

func (c *PolicyContext) WithNewResource(resource unstructured.Unstructured) *PolicyContext

func (*PolicyContext) WithOldResource added in v1.9.0 

func (c *PolicyContext) WithOldResource(resource unstructured.Unstructured) *PolicyContext

func (*PolicyContext) WithPolicy added in v1.9.0 

func (c *PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext

func (*PolicyContext) WithRequestResource added in v1.9.0 

func (c *PolicyContext) WithRequestResource(requestResource metav1.GroupVersionResource) *PolicyContext

func (*PolicyContext) WithResources added in v1.9.0 

func (c *PolicyContext) WithResources(newResource unstructured.Unstructured, oldResource unstructured.Unstructured) *PolicyContext

func (*PolicyContext) WithSubresource added in v1.9.0 

func (c *PolicyContext) WithSubresource(subresource string) *PolicyContext

func (*PolicyContext) WithSubresourcesInPolicy added in v1.9.0 

func (c *PolicyContext) WithSubresourcesInPolicy(subresourcesInPolicy []struct {
	APIResource    metav1.APIResource
	ParentResource metav1.APIResource
},
) *PolicyContext

type PolicyExceptionLister added in v1.9.0 

type PolicyExceptionLister interface {
	// List lists all PolicyExceptions in the indexer.
	// Objects returned here must be treated as read-only.
	List(selector labels.Selector) (ret []*kyvernov2alpha1.PolicyException, err error)
}

Source Files

View all Source files

Directories

Path Synopsis
resolvers
patch
operator

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.